Control: reassign -1 sudo 1.8.27-1 Control: affects -1 cryptsetup Control: merge -1 906752
On Thu, 05 Sep 2019 at 02:03:34 +0200, Guilhem Moulin wrote: > Perhaps keyctl(1) could provide a wrapper using thread-keyring(7) as > temporary keyring, like the attached PoC. Of course I forgot the attachment :-P That said I'm not sure that using a temporary keyring and changing ownership is the way to go, it adds complexity and not having a reachable user-keyring(7) might cause other problems. I was about to reassign that to sudo but noticed there is already a bug open: https://bugs.debian.org/906752 -- Guilhem.
#include <err.h>
#include <sys/types.h>
#include <keyutils.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
if (argc != 4)
exit(EXIT_FAILURE);
key_serial_t key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), KEY_SPEC_THREAD_KEYRING);
if (key == -1)
err(EXIT_FAILURE, "add_key");
if (keyctl_set_timeout(key, 60) == -1)
err(EXIT_FAILURE, "keyctl_set_timeout");
if (keyctl_setperm(key, KEY_POS_ALL|KEY_USR_VIEW|KEY_USR_READ|KEY_USR_WRITE|KEY_USR_SEARCH) == -1)
err(EXIT_FAILURE, "keyctl_setperm");
if (keyctl_link(key, KEY_SPEC_USER_KEYRING))
err(EXIT_FAILURE, "keyctl_link");
keyctl_unlink(key, KEY_SPEC_THREAD_KEYRING);
exit(EXIT_SUCCESS);
}
signature.asc
Description: PGP signature
