| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Aug 2016 14:43:13 -0700 From: Gwendal Grignou <gwendal@...omium.org> To: David Howells <dhowells@...hat.com> Cc: Gwendal Grignou <gwendal@...omium.org>, james.l.morris@...cle.com, serge@...lyn.com, keyrings@...r.kernel.org, Linux Kernel <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, "Theodore Ts'o" <tytso@....edu> Subject: Re: [PATCH] keyrings: Allow searching the user session keyring On Tue, Jun 14, 2016 at 2:46 AM, David Howells <dhowells@...hat.com> wrote: > Gwendal Grignou <gwendal@...omium.org> wrote: > >> Currently, if a session keyring exists, we are not searching in the >> user session or user keyrings. > > That is correct. New session keyrings are given a link to the user session if > created by pam_keyinit. If you don't want to search the user keyring, you can > just unlink it from your session keyring. The problem I am facing is that ecrytpfs library (see https://github.com/dustinkirkland/ecryptfs-utils/blob/master/src/libecryptfs/key_management.c, function ecryptfs_add_auth_tok_to_keyring) specifically adds the needed keys to user keyring. Without the patch above, this code stops working when a session keyring exists, because the kernel will not search within the user keyring. > > The uid 0 user-session keyring is a potential > security hole because it allows implicit sharing of authentication data > between daemon processes. For ecryptfs, multiple root processes needs to access the key. For mitigating security risk, we run root daemons that don't need the key in thin container (called minijail). > > David
Powered by blists - more mailing lists