[krbdev.mit.edu #7814] Session keyring caches don't work if session keyring not set (with current Linux)
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Jan 8 17:33:22 EST 2014
In many Linux configurations, the PAM stack does not use pam_keyinit or
equivalent, so typical processes have no explicit session keyring. In
this situation, current Linux kernels default to a per-uid default
(known as the user default session keyring) for reading, but when
writing, they create a new session keyring for the process, which is
garbage-collected when the process exits.
The result is that a KEYRING ccache bound to the session anchor cannot
be seen by a subsequence process. This causes a failure in the 1.12
"make check", though it does not break the sparser keyring ccache tests
in 1.11.
After some discussion, future kernel versions will probably write to the
user default session keyring instead of creating a new one. There is
also a workaround we can use to get those semantics with current
kernels: use keyctl_get_keyring_ID() to get the IDs of
KEY_SPEC_SESSION_KEYRING and KEY_SPEC_USER_SESSION_KEYRING, and if they
match, write to KEY_SPEC_USER_SESSION_KEYRING instead of
KEY_SPEC_SESSION_KEYRING.
More information about the krb5-bugs
mailing list