Re: [PATCH] keyrings: Allow searching the user session keyring
From: Gwendal Grignou
Date: Mon Aug 08 2016 - 17:43:41 EST
On Tue, Jun 14, 2016 at 2:46 AM, David Howells <dhowells@xxxxxxxxxx> wrote:
> Gwendal Grignou <gwendal@xxxxxxxxxxxx> wrote:
>
>> Currently, if a session keyring exists, we are not searching in the
>> user session or user keyrings.
>
> That is correct. New session keyrings are given a link to the user session if
> created by pam_keyinit. If you don't want to search the user keyring, you can
> just unlink it from your session keyring.
The problem I am facing is that ecrytpfs library (see
https://github.com/dustinkirkland/ecryptfs-utils/blob/master/src/libecryptfs/key_management.c,
function ecryptfs_add_auth_tok_to_keyring) specifically adds the
needed keys to user keyring.
Without the patch above, this code stops working when a session
keyring exists, because the kernel will not search within the user
keyring.
>
> The uid 0 user-session keyring is a potential
> security hole because it allows implicit sharing of authentication data
> between daemon processes.
For ecryptfs, multiple root processes needs to access the key. For
mitigating security risk, we run root daemons that don't need the key
in thin container (called minijail).
>
> David