--- Comment #27 from Franck Bui <fbui(a)suse.com> ---
(In reply to Andrei Borzenkov from comment #20)
(In reply to Martin Wilck from comment #18)
So, by running that innocently-looking command, a
user would inadvertently
provide his personal keys to a system service??
And to another user. To illustrate:
bor@10:~> id -a
uid=1000(bor) gid=100(users) groups=100(users)
bor@10:~> keyctl show -x
0x2f8153fa --alswrv 0 0 keyring: _ses
0x144397e9 ----s-rv 0 0 \_ user: invocation_id
test@10:~> id -a
uid=1001(test) gid=100(users) groups=100(users)
test@10:~> keyctl show -x
So both users already have access to exactly the same keyrings. Now let's
try what you suggest.
Since you don't show the result of "keyctl show -x" for "test"
user, it's hard
to say ;)
I've run the same test and the 2 users get a differ session keyring...
How did you log in BTW ? Through different ttys ?
bor@10:~> keyctl link @us @s
test@10:~> keyctl link @us @s
So both users now have access to user keyring of each other.
That's definitively weird and again I'm seeing different (and expected) results
User session keyring is supposed to be per UID resources, so "@us" for
user should be something totally different from "@us" for "test". At
my slight understanding of the keyrings stuff.
Which kernel version are your running ? (I'm using 4.11.5-1)
You are receiving this mail because:
You are on the CC list for the bug.