|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
|
|
Packit |
7cfc04 |
.\" Written by David Howells (dhowells@redhat.com)
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
|
|
Packit |
7cfc04 |
.\" This program is free software; you can redistribute it and/or
|
|
Packit |
7cfc04 |
.\" modify it under the terms of the GNU General Public License
|
|
Packit |
7cfc04 |
.\" as published by the Free Software Foundation; either version
|
|
Packit |
7cfc04 |
.\" 2 of the License, or (at your option) any later version.
|
|
Packit |
7cfc04 |
.\" %%%LICENSE_END
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.TH "PERSISTENT-KEYRING" 7 2017-03-13 Linux "Linux Programmer's Manual"
|
|
Packit |
7cfc04 |
.SH NAME
|
|
Packit |
7cfc04 |
persistent-keyring \- per-user persistent keyring
|
|
Packit |
7cfc04 |
.SH DESCRIPTION
|
|
Packit |
7cfc04 |
The persistent keyring is a keyring used to anchor keys on behalf of a user.
|
|
Packit |
7cfc04 |
Each UID the kernel deals with has its own persistent keyring that
|
|
Packit |
7cfc04 |
is shared between all threads owned by that UID.
|
|
Packit |
7cfc04 |
The persistent keyring has a name (description) of the form
|
|
Packit |
7cfc04 |
.I _persistent.<UID>
|
|
Packit |
7cfc04 |
where
|
|
Packit |
7cfc04 |
.I <UID>
|
|
Packit |
7cfc04 |
is the user ID of the corresponding user.
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
The persistent keyring may not be accessed directly,
|
|
Packit |
7cfc04 |
even by processes with the appropriate UID.
|
|
Packit |
7cfc04 |
.\" FIXME The meaning of the preceding sentence isn't clear. What is meant?
|
|
Packit |
7cfc04 |
Instead, it must first be linked to one of a process's keyrings,
|
|
Packit |
7cfc04 |
before that keyring can access the persistent keyring
|
|
Packit |
7cfc04 |
by virtue of its possessor permits.
|
|
Packit |
7cfc04 |
This linking is done with the
|
|
Packit |
7cfc04 |
.BR keyctl_get_persistent (3)
|
|
Packit |
7cfc04 |
function.
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
If a persistent keyring does not exist when it is accessed by the
|
|
Packit |
7cfc04 |
.BR keyctl_get_persistent (3)
|
|
Packit |
7cfc04 |
operation, it will be automatically created.
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
Each time the
|
|
Packit |
7cfc04 |
.BR keyctl_get_persistent (3)
|
|
Packit |
7cfc04 |
operation is performed,
|
|
Packit |
7cfc04 |
the persistent key's expiration timer is reset to the value in:
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
/proc/sys/kernel/keys/persistent_keyring_expiry
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
Should the timeout be reached,
|
|
Packit |
7cfc04 |
the persistent keyring will be removed and
|
|
Packit |
7cfc04 |
everything it pins can then be garbage collected.
|
|
Packit |
7cfc04 |
The key will then be re-created on a subsequent call to
|
|
Packit |
7cfc04 |
.BR keyctl_get_persistent (3).
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
The persistent keyring is not directly searched by
|
|
Packit |
7cfc04 |
.BR request_key (2);
|
|
Packit |
7cfc04 |
it is searched only if it is linked into one of the keyrings
|
|
Packit |
7cfc04 |
that is searched by
|
|
Packit |
7cfc04 |
.BR request_key (2).
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
The persistent keyring is independent of
|
|
Packit |
7cfc04 |
.BR clone (2),
|
|
Packit |
7cfc04 |
.BR fork (2),
|
|
Packit |
7cfc04 |
.BR vfork (2),
|
|
Packit |
7cfc04 |
.BR execve (2),
|
|
Packit |
7cfc04 |
and
|
|
Packit |
7cfc04 |
.BR _exit (2).
|
|
Packit |
7cfc04 |
It persists until its expiration timer triggers,
|
|
Packit |
7cfc04 |
at which point it is garbage collected.
|
|
Packit |
7cfc04 |
This allows the persistent keyring to carry keys beyond the life of
|
|
Packit |
7cfc04 |
the kernel's record of the corresponding UID
|
|
Packit |
7cfc04 |
(the destruction of which results in the destruction of the
|
|
Packit |
7cfc04 |
.BR user-keyring (7)
|
|
Packit |
7cfc04 |
and the
|
|
Packit |
7cfc04 |
.BR user-session-keyring (7)).
|
|
Packit |
7cfc04 |
The persistent keyring can thus be used to
|
|
Packit |
7cfc04 |
hold authentication tokens for processes that run without user interaction,
|
|
Packit |
7cfc04 |
such as programs started by
|
|
Packit |
7cfc04 |
.BR cron (8).
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
The persistent keyring is used to store UID-specific objects that
|
|
Packit |
7cfc04 |
themselves have limited lifetimes (e.g., kerberos tokens).
|
|
Packit |
7cfc04 |
If those tokens cease to be used
|
|
Packit |
7cfc04 |
(i.e., the persistent keyring is not accessed),
|
|
Packit |
7cfc04 |
then the timeout of the persistent keyring ensures that
|
|
Packit |
7cfc04 |
the corresponding objects are automatically discarded.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.SS Special operations
|
|
Packit |
7cfc04 |
The
|
|
Packit |
7cfc04 |
.I keyutils
|
|
Packit |
7cfc04 |
library provides the
|
|
Packit |
7cfc04 |
.BR keyctl_get_persistent (3)
|
|
Packit |
7cfc04 |
function for manipulating persistent keyrings.
|
|
Packit |
7cfc04 |
(This function is an interface to the
|
|
Packit |
7cfc04 |
.BR keyctl (2)
|
|
Packit |
7cfc04 |
.B KEYCTL_GET_PERSISTENT
|
|
Packit |
7cfc04 |
operation.)
|
|
Packit |
7cfc04 |
This operation allows the calling thread to get the persistent keyring
|
|
Packit |
7cfc04 |
corresponding to its own UID or, if the thread has the
|
|
Packit |
7cfc04 |
.BR CAP_SETUID
|
|
Packit |
7cfc04 |
capability, the persistent keyring corresponding to some other UID
|
|
Packit |
7cfc04 |
in the same user namespace.
|
|
Packit |
7cfc04 |
.SH NOTES
|
|
Packit |
7cfc04 |
Each user namespace owns a keyring called
|
|
Packit |
7cfc04 |
.IR .persistent_register
|
|
Packit |
7cfc04 |
that contains links to all of the persistent keys in that namespace.
|
|
Packit |
7cfc04 |
(The
|
|
Packit |
7cfc04 |
.IR .persistent_register
|
|
Packit |
7cfc04 |
keyring can be seen when reading the contents of the
|
|
Packit |
7cfc04 |
.IR /proc/keys
|
|
Packit |
7cfc04 |
file for the UID 0 in the namespace.)
|
|
Packit |
7cfc04 |
The
|
|
Packit |
7cfc04 |
.BR keyctl_get_persistent (3)
|
|
Packit |
7cfc04 |
operation looks for a key with a name of the form
|
|
Packit |
7cfc04 |
.IR _persistent.<UID>
|
|
Packit |
7cfc04 |
in that keyring,
|
|
Packit |
7cfc04 |
creates the key if it does not exist, and links it into the keyring.
|
|
Packit |
7cfc04 |
.SH SEE ALSO
|
|
Packit |
7cfc04 |
.ad l
|
|
Packit |
7cfc04 |
.nh
|
|
Packit |
7cfc04 |
.BR keyctl (1),
|
|
Packit |
7cfc04 |
.BR keyctl (3),
|
|
Packit |
7cfc04 |
.BR keyctl_get_persistent (3),
|
|
Packit |
7cfc04 |
.BR keyrings (7),
|
|
Packit |
7cfc04 |
.BR process\-keyring (7),
|
|
Packit |
7cfc04 |
.BR session\-keyring (7),
|
|
Packit |
7cfc04 |
.BR thread\-keyring (7),
|
|
Packit |
7cfc04 |
.BR user\-keyring (7),
|
|
Packit |
7cfc04 |
.BR user\-session\-keyring (7)
|
|
Packit |
7cfc04 |
.SH COLOPHON
|
|
Packit |
7cfc04 |
This page is part of release 4.15 of the Linux
|
|
Packit |
7cfc04 |
.I man-pages
|
|
Packit |
7cfc04 |
project.
|
|
Packit |
7cfc04 |
A description of the project,
|
|
Packit |
7cfc04 |
information about reporting bugs,
|
|
Packit |
7cfc04 |
and the latest version of this page,
|
|
Packit |
7cfc04 |
can be found at
|
|
Packit |
7cfc04 |
\%https://www.kernel.org/doc/man\-pages/.
|