Mailinglist Archive: opensuse-bugs (4751 mails)

< Previous Next >
[Bug 1045886] ecryptfs problems with recent Tumbleweed
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 07 Jul 2017 15:33:03 +0000
  • Message-id: <bug-1045886-21960-bsw55m6zWo@http.bugzilla.novell.com/>
http://bugzilla.novell.com/show_bug.cgi?id=1045886
http://bugzilla.novell.com/show_bug.cgi?id=1045886#c27

--- Comment #27 from Franck Bui <fbui@xxxxxxxx> ---
(In reply to Andrei Borzenkov from comment #20)
(In reply to Martin Wilck from comment #18)
So, by running that innocently-looking command, a user would inadvertently
provide his personal keys to a system service??

And to another user. To illustrate:

bor@10:~> id -a
uid=1000(bor) gid=100(users) groups=100(users)
bor@10:~> keyctl show -x
Session Keyring
0x2f8153fa --alswrv 0 0 keyring: _ses
0x144397e9 ----s-rv 0 0 \_ user: invocation_id
test@10:~> id -a
uid=1001(test) gid=100(users) groups=100(users)
test@10:~> keyctl show -x

So both users already have access to exactly the same keyrings. Now let's
try what you suggest.


Since you don't show the result of "keyctl show -x" for "test" user, it's hard
to say ;)

I've run the same test and the 2 users get a differ session keyring...

How did you log in BTW ? Through different ttys ?

bor@10:~> keyctl link @us @s
test@10:~> keyctl link @us @s

[...]

So both users now have access to user keyring of each other.

That's definitively weird and again I'm seeing different (and expected) results
here.

User session keyring is supposed to be per UID resources, so "@us" for "bor"
user should be something totally different from "@us" for "test". At least it's
my slight understanding of the keyrings stuff.

Which kernel version are your running ? (I'm using 4.11.5-1)

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >