2044486 – [spec] keyctl read or revoke fail with access denied , when try to retrive the previous key added from the same user

Bug 2044486 - [spec] keyctl read or revoke fail with access denied , when try to retrive the previous key added from the same user

Summary: [spec] keyctl read or revoke fail with access denied , when try to retrive th...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	9.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Macku
QA Contact:	Frantisek Sumsal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-24 17:04 UTC by Giancarlo del Rossi
Modified:	2023-08-04 10:55 UTC (History)
CC List:	13 users (show)
Fixed In Version:	systemd-252-16.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Gitlab	redhat/centos-stream/rpms systemd merge_requests 80	None	opened	pam: add pam_keyinit.so to systemd-user	2023-06-27 12:46:04 UTC
Red Hat Issue Tracker	RHELPLAN-109423	None	None	None	2022-01-24 17:13:27 UTC
Red Hat Knowledge Base (Solution)	6809451	None	None	None	2022-05-12 01:36:59 UTC

Comment 9 Michal Sekletar 2022-11-04 17:33:10 UTC

This is caused by packaging error in systemd. We ship outdated systemd-user config file which doesn't call pam_keyinit.so. Hence gnome-terminal-server.service user service inherits session keyring from systemd --user instance which gets has KeyringMode=private (i.e. new session keyring not linked with user keyring). If pam_keyinit.so was invoked from systemd-user then this private keyring (setup by PID 1 when starting user instance) would be linked to user keyring and that is then inherited by gnome-terminal.

Comment 10 Zbigniew Jędrzejewski-Szmek 2022-11-23 15:14:42 UTC

We discussed this during a meeting with PAM maintainers today… The issue is even more subtle:
we call 'pam_keyinit revoke' via the shared configuration, but we need to call 'pam_keyinit force revoke'.
This will need to be done in our own config. As Michal wrote, this is already done upstream,
so the fix will be to just make sure that those upstream changes are present in our downstream
version of this file.

Comment 12 Jan Macku 2023-06-27 12:46:04 UTC

I have posted MR fixing this issue, thank you for your patience.

https://gitlab.com/redhat/centos-stream/rpms/systemd/-/merge_requests/80

Note You need to log in before you can comment on or make changes to this bug.