http://bugzilla.novell.com/show_bug.cgi?id=1045886
http://bugzilla.novell.com/show_bug.cgi?id=1045886#c20
--- Comment #20 from Andrei Borzenkov
So, by running that innocently-looking command, a user would inadvertently provide his personal keys to a system service??
And to another user. To illustrate: bor@10:~> id -a uid=1000(bor) gid=100(users) groups=100(users) bor@10:~> keyctl show -x Session Keyring 0x2f8153fa --alswrv 0 0 keyring: _ses 0x144397e9 ----s-rv 0 0 \_ user: invocation_id test@10:~> id -a uid=1001(test) gid=100(users) groups=100(users) test@10:~> keyctl show -x So both users already have access to exactly the same keyrings. Now let's try what you suggest. bor@10:~> keyctl link @us @s test@10:~> keyctl link @us @s OK, let's check. bor@10:~> keyctl show -x Session Keyring 0x2f8153fa --alswrv 0 0 keyring: _ses 0x144397e9 ----s-rv 0 0 \_ user: invocation_id 0x095ea2d9 ---lswrv 1001 65534 \_ keyring: _uid_ses.1001 0x320d41af ---lswrv 1001 65534 | \_ keyring: _uid.1001 0x0e9e06aa --alswrv 1000 65534 \_ keyring: _uid_ses.1000 0x18889b01 --alswrv 1000 65534 \_ keyring: _uid.1000 test@10:~> keyctl show -x Session Keyring 0x2f8153fa --alswrv 0 0 keyring: _ses 0x144397e9 ----s-rv 0 0 \_ user: invocation_id 0x095ea2d9 --alswrv 1001 65534 \_ keyring: _uid_ses.1001 0x320d41af --alswrv 1001 65534 | \_ keyring: _uid.1001 0x0e9e06aa ---lswrv 1000 65534 \_ keyring: _uid_ses.1000 0x18889b01 ---lswrv 1000 65534 \_ keyring: _uid.1000 So both users now have access to user keyring of each other. -- You are receiving this mail because: You are on the CC list for the bug.