On Tue, 2011-11-15 at 18:23 +0100, Jakub Hrozek wrote:
On Fri, Nov 11, 2011 at 06:18:55PM -0500, Simo Sorce wrote:
> After a quick discussion with David Howells (maintainer of
> keutils/keyrings) I created this patch for SSSD.
>
> It should make the keyrings used to store user passwords not as easy to
> access even for root by confining them to the sssd process and it's
> children.
>
> I haven't really tested it yet, but I guess we want to discuss if this
> approach is ok first anyway.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
I've tested the patch and delayed auth still works OK. I have a
question though - if we fail joining the session keyring, that's not
fatal. Where does keyutils store the key then, if add_key() specifies
KEY_SPEC_SESSION_KEYRING? To the session keyring sssd inherited from
its parent?
Yes, if we fail it will just used the same as before which is more
easily snoopable by root. But I don't think it should be fatal.
Also I think it would make sense to report the errno value in cases
joining
the session keyring fails.
Attached new patch that prints errno on failures.
Simo.
--
Simo Sorce * Red Hat, Inc * New York