From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.2 (like Gecko) Description of problem: When the kernel invokes /sbin/request-key it passes the callout information on the command line. When keyctl is invoked to add, update or instantiate a key, the payload data for the key is passed on the command line. This means the data can be read with ps or by looking in /proc. Version-Release number of selected component (if applicable): keyutils-0.3-1 How reproducible: Always Steps to Reproduce: Any one of: keyctl request2 user debug:uuuu xxxxxx @s keyctl add user a data @s keyctl update <key> data keyctl instantiate <key> data @t Additional info: The kernel patch attached to bug 173493 and the keyutils change for bug 174410 permits the /sbin/request-key problem to be avoided as the callout info is passed in the authorisation key rather than on the command line. I have implementations of alternate keyctl commands for the other three cases that involve passing the data over stdin instead of by command line: echo -n data | keyctl padd user a @s echo -n data | keyctl pupdate <key> echo -n data | keyctl pinstantiate <key> @t I also have a change by which /sbin/request-key can run a program at the end of pipes, passing the callout info to it over its stdin and retrieving the payload with which the key is to be instantiated from its stdout.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2006-0090.html