From e369fc08906383e6d5c39832f31bb6600a33f887 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Fri, 11 Nov 2011 16:59:21 -0500
Subject: Set more strict permissions on keyring

We want to confine access to the keyring to the current process
and not let root easily peek into the keyring contents.
---
 src/monitor/monitor.c                              | 27 ++++++++++++++++++++++
 .../krb5/krb5_delayed_online_authentication.c      |  2 +-
 2 files changed, 28 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1b7f87a9..2db9d541 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -51,6 +51,10 @@
 #include "sbus/sssd_dbus.h"
 #include "monitor/monitor_interfaces.h"
 
+#ifdef USE_KEYRING
+#include <keyutils.h>
+#endif
+
 /* ping time cannot be less then once every few seconds or the
  * monitor will get crazy hammering children with messages */
 #define MONITOR_DEF_PING_TIME 10
@@ -2472,6 +2476,29 @@ int main(int argc, const char *argv[])
         }
     }
 
+#ifdef USE_KEYRING
+    /* Do this before all the forks, it sets the session key ring so all
+     * keys are private to the daemon and cannot be read by any other process
+     * tree */
+
+    /* make a new session */
+    ret = keyctl_join_session_keyring(NULL);
+    if (ret == -1) {
+        sss_log(SSS_LOG_ALERT,
+                "Could not create private keyring session. "
+                "If you store password there they may be easily accessible "
+                "to the root user. (%d, %s)", errno, strerror(errno));
+    }
+
+    ret = keyctl_setperm(KEY_SPEC_SESSION_KEYRING, KEY_POS_ALL);
+    if (ret == -1) {
+        sss_log(SSS_LOG_ALERT,
+                "Could not set permissions on private keyring. "
+                "If you store password there they may be easily accessible "
+                "to the root user. (%d, %s)", errno, strerror(errno));
+    }
+#endif
+
     /* Warn if nscd seems to be running */
     ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL, false);
     if (ret == EOK) {
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index 02f09919..d5dea3bb 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
 
 #ifdef USE_KEYRING
     new_pd->key_serial = add_key("user", new_pd->user, new_pd->authtok,
-                                 new_pd->authtok_size, KEY_SPEC_THREAD_KEYRING);
+                                 new_pd->authtok_size, KEY_SPEC_SESSION_KEYRING);
     if (new_pd->key_serial == -1) {
         ret = errno;
         DEBUG(1, ("add_key fialed [%d][%s].\n", ret, strerror(ret)));
-- 
cgit