From patchwork Thu Jul 19 13:35:16 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 1216781 Return-Path: X-Original-To: patchwork-cifs-client@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id CF5CDDF24C for ; Thu, 19 Jul 2012 13:35:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751109Ab2GSNfZ (ORCPT ); Thu, 19 Jul 2012 09:35:25 -0400 Received: from mail-gh0-f174.google.com ([209.85.160.174]:33691 "EHLO mail-gh0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750847Ab2GSNfY (ORCPT ); Thu, 19 Jul 2012 09:35:24 -0400 Received: by ghrr11 with SMTP id r11so2750748ghr.19 for ; Thu, 19 Jul 2012 06:35:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references:mime-version:content-type:content-transfer-encoding :x-gm-message-state; bh=0Vb0y7iZ5fHW4Osxn4YXWNx645aQJA05RijfWURasvU=; b=kqzqw6UGZPlrdw0AjNu+tl359gFRO5G6SXLFZ0yU3brXeFfR1Mh3C5Xz7sQQSByV6D vOEnnTc0ISJUldLQ6vdPkP9rvzEDwPFlcAsjWdCpjS5SS/caaF6SwnvcE6lWvaGys1Rt Llkm0sJC9/JTXXhYHj3fsbL8Gl0SofUAj4w0FZCoUP0qAOshOUR6mqj8tehB92VnBCfQ 5pG1uqBHw6WxTfTKw02g6HXxDFNPC8wyPdKpBukWz76MojEPNJNg7eLy6Re7A4t0tHVW 5/ZzcqWYy0hSExYwNbLFXdIvt3P+rtYXLuE1Jd3rUQ+okjnuL4GJtoysTrlPzlxF4hX/ g1Bg== Received: by 10.236.141.42 with SMTP id f30mr1379908yhj.120.1342704923630; Thu, 19 Jul 2012 06:35:23 -0700 (PDT) Received: from salusa.poochiereds.net (cpe-076-182-054-194.nc.res.rr.com. [76.182.54.194]) by mx.google.com with ESMTPS id y10sm2791968yhd.6.2012.07.19.06.35.22 (version=SSLv3 cipher=OTHER); Thu, 19 Jul 2012 06:35:22 -0700 (PDT) From: Jeff Layton To: linux-cifs@vger.kernel.org Cc: knizek.confy@gmail.com, dhowells@redhat.com Subject: [PATCH v2] cifscreds: add a check and warnings for session keyring problems Date: Thu, 19 Jul 2012 09:35:16 -0400 Message-Id: <1342704916-2224-1-git-send-email-jlayton@samba.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <30167.1342557999@warthog.procyon.org.uk> References: <30167.1342557999@warthog.procyon.org.uk> MIME-Version: 1.0 X-Gm-Message-State: ALoCoQmowGRBMN1+5zK2XT4cftYTiAHx+ZZlZv77fVDGJhElKMPx7up3E6eC/FVuWYZHWs7g6tCh Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Many distros do not call into pam_keyinit to set up the session keyring properly at login time. When cifscreds add is used in such a session, the kernel will spawn a new session keyring in which to install the credentials. That keyring will then go away once the cifscreds process exits. Check for this situation by looking to see if the session and user-session keyrings are the same. Throw a warning if so, and add some verbiage to the cifscreds manpage that explains the issue. Also, if the session keyring can't be queried for any reason, then cause the program to error out. Cc: David Howells Reported-by: Milan Knížek Signed-off-by: Jeff Layton Acked-by: David Howells --- cifscreds.1 | 9 ++++++++- cifscreds.c | 34 ++++++++++++++++++++++++++++++++++ cifscreds.pod | 8 ++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) diff --git a/cifscreds.1 b/cifscreds.1 index 44a02a2..83afae6 100644 --- a/cifscreds.1 +++ b/cifscreds.1 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "CIFSCREDS 1" -.TH CIFSCREDS 1 "2012-01-24" "" "" +.TH CIFSCREDS 1 "2012-07-17" "" "" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -186,6 +186,13 @@ different username. The cifscreds utility requires a kernel built with support for the \&\fBlogin\fR key type. That key type was added in v3.3 in mainline Linux kernels. +.PP +Since \fBcifscreds\fR adds keys to the session keyring, it is highly +recommended that one use \fBpam_keyinit\fR to ensure that a session keyring +is established at login time. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIpam_keyinit\fR\|(8) .SH "AUTHORS" .IX Header "AUTHORS" The cifscreds program was originally developed by Igor Druzhinin diff --git a/cifscreds.c b/cifscreds.c index efc76e6..bb35c02 100644 --- a/cifscreds.c +++ b/cifscreds.c @@ -28,6 +28,7 @@ #include #include #include +#include #include "mount.h" #include "resolve_host.h" #include "util.h" @@ -465,6 +466,36 @@ static int cifscreds_update(struct cmdarg *arg) return EXIT_SUCCESS; } +static int +check_session_keyring(void) +{ + key_serial_t ses_key, uses_key; + + ses_key = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0); + if (ses_key == -1) { + if (errno == ENOKEY) + fprintf(stderr, "Error: you have no session keyring. " + "Consider using pam_keyinit to " + "install one.\n"); + else + fprintf(stderr, "Error: unable to query session " + "keyring: %s\n", strerror(errno)); + return (int)ses_key; + } + + /* A problem querying the user-session keyring isn't fatal. */ + uses_key = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0); + if (uses_key == -1) + return 0; + + if (ses_key == uses_key) + fprintf(stderr, "Warning: you have no persistent session " + "keyring. cifscreds keys will not persist " + "after this process exits. See " + "pam_keyinit(8).\n"); + return 0; +} + int main(int argc, char **argv) { struct command *cmd, *best; @@ -535,5 +566,8 @@ int main(int argc, char **argv) if (arg.user == NULL) arg.user = getusername(getuid()); + if (check_session_keyring()) + return EXIT_FAILURE; + return best->action(&arg); } diff --git a/cifscreds.pod b/cifscreds.pod index 17e453f..c3bafb5 100644 --- a/cifscreds.pod +++ b/cifscreds.pod @@ -79,6 +79,14 @@ The cifscreds utility requires a kernel built with support for the B key type. That key type was added in v3.3 in mainline Linux kernels. +Since B adds keys to the session keyring, it is highly +recommended that one use B to ensure that a session keyring +is established at login time. + +=head1 SEE ALSO + +pam_keyinit(8) + =head1 AUTHORS The cifscreds program was originally developed by Igor Druzhinin