Bug 174410

Summary: Permit key management to request already running process to instantiate a key
Product: Red Hat Enterprise Linux 4 Reporter: David Howells <dhowells>
Component: keyutilsAssignee: David Howells <dhowells>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: poelstra, steved
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHEA-2006-0090 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-07 18:52:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 173493    
Bug Blocks: 168430    

Description David Howells 2005-11-28 20:19:11 UTC 
+++ This bug was initially created as a clone of Bug #173493 +++ 
 
From Bugzilla Helper: 
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.2 (like 
Gecko) 
 
Description of problem: 
The attached patch permits keys of certain types to be instantiated by an   
already running process. This facility has been requested for NFSv4 so that it   
can contact gssapid or similar.  
  
The patch makes the following changes:  
  
 (1) A new, optional key type method has been added. This permits a key type  
     to intercept requests at the point /sbin/request-key is about to be  
     spawned and do something else with them - passing them over the  
     rpc_pipefs files or netlink sockets for instance.  
  
     The uninstantiated key, the authorisation key and the intended operation  
     name are passed to the method.  
  
 (2) The callout_info is no longer passed as an argument to /sbin/request-key  
     to prevent unauthorised viewing of this data using ps or by looking in  
     /proc/pid/cmdline.  
  
     This means that the old /sbin/request-key program will not work with the  
     patched kernel as it will expect to see an extra argument that is no  
     longer there.  
  
     A revised keyutils package will be made available tomorrow.  
  
 (3) The callout_info is now attached to the authorisation key. Reading this  
     key will retrieve the information.  
  
 (4) A new field has been added to the task_struct. This holds the  
     authorisation key currently active for a thread. Searches now look here  
     for the caller's set of keys rather than looking for an auth key in the  
     lowest level of the session keyring.  
  
     This permits a thread to be servicing multiple requests at once and to  
     switch between them. Note that this is per-thread, not per-process, and  
     so is usable in multithreaded programs.  
  
     The setting of this field is inherited across fork and exec.  
  
 (5) A new keyctl function (KEYCTL_ASSUME_AUTHORITY) has been added that  
     permits a thread to assume the authority to deal with an uninstantiated  
     key. Assumption is only permitted if the authorisation key associated  
     with the uninstantiated key is somewhere in the thread's keyrings.  
  
     This function can also clear the assumption.  
  
 (6) A new magic key specifier has been added to refer to the currently  
     assumed authorisation key (KEY_SPEC_REQKEY_AUTH_KEY).  
  
 (7) Instantiation will only proceed if the appropriate authorisation key is  
     assumed first. The assumed authorisation key is discarded if  
     instantiation is successful.  
  
 (8) key_validate() is moved from the file of request_key functions to the  
     file of permissions functions.  
  
 (9) The documentation is updated.  
  
 
Version-Release number of selected component (if applicable): 
 
 
How reproducible: 
Always 
 
Steps to Reproduce: 
Install a key type (such as an NFSv4 key when available) that supports key  
instantiation in a running process and then issue a keyctl request2 for a key  
of that key type or, if it's NFSv4, open a file on that filesystem.  
 
Additional info: 
 
This patch is upstream in Andrew Morton's kernel.   
   
The keyutils and glibc-kernheaders will need updating for the facility  
provided by this patch to become available.  
  
Note that applying this patch will break /sbin/request-key as the invoker can  
no longer pass callout_info on the command line, but will instead store it in  
the authorisation key.
Comment 5 Red Hat Bugzilla 2006-03-07 18:52:47 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2006-0090.html