Skip Menu |
 

Subject: Session keyring caches don't work if session keyring not set (with current Linux)
In many Linux configurations, the PAM stack does not use pam_keyinit or
equivalent, so typical processes have no explicit session keyring. In
this situation, current Linux kernels default to a per-uid default
(known as the user default session keyring) for reading, but when
writing, they create a new session keyring for the process, which is
garbage-collected when the process exits.

The result is that a KEYRING ccache bound to the session anchor cannot
be seen by a subsequence process. This causes a failure in the 1.12
"make check", though it does not break the sparser keyring ccache tests
in 1.11.

After some discussion, future kernel versions will probably write to the
user default session keyring instead of creating a new one. There is
also a workaround we can use to get those semantics with current
kernels: use keyctl_get_keyring_ID() to get the IDs of
KEY_SPEC_SESSION_KEYRING and KEY_SPEC_USER_SESSION_KEYRING, and if they
match, write to KEY_SPEC_USER_SESSION_KEYRING instead of
KEY_SPEC_SESSION_KEYRING.
From: ghudson@mit.edu
Subject: git commit

Work around Linux session keyring write behavior

If the session keyring matches the user session keyring, write
explicitly to the user session keyring. Otherwise the kernel might
create a new session keyring for the process, making the resulting
cache collection invisible to other processes.

https://github.com/krb5/krb5/commit/0642afa544b00054048775d0b9796923bf018e22
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0642afa544b00054048775d0b9796923bf018e22
Branch: master
src/lib/krb5/ccache/cc_keyring.c | 28 ++++++++++++++++++++++++----
1 files changed, 24 insertions(+), 4 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Work around Linux session keyring write behavior

If the session keyring matches the user session keyring, write
explicitly to the user session keyring. Otherwise the kernel might
create a new session keyring for the process, making the resulting
cache collection invisible to other processes.

(cherry picked from commit 0642afa544b00054048775d0b9796923bf018e22)

https://github.com/krb5/krb5/commit/dd9975a4345447f3e764472c4d14fb56fdeeece5
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: dd9975a4345447f3e764472c4d14fb56fdeeece5
Branch: krb5-1.12
src/lib/krb5/ccache/cc_keyring.c | 28 ++++++++++++++++++++++++----
1 files changed, 24 insertions(+), 4 deletions(-)