cifscreds: add a check and warnings for session keyring problems

Many distros do not call into pam_keyinit to set up the session keyring
properly at login time. When cifscreds add is used in such a session,
the kernel will spawn a new session keyring in which to install the
credentials. That keyring will then go away once the cifscreds process
exits.

Check for this situation by looking to see if the session and
user-session keyrings are the same. Throw a warning if so, and add some
verbiage to the cifscreds manpage that explains the issue. Also, if
the session keyring can't be queried for any reason, then cause the
program to error out.

Acked-by: David Howells <dhowells@redhat.com>
Reported-by: Milan Knížek <knizek.confy@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>

diff --git a/cifscreds.1 b/cifscreds.1
index 44a02a27be4114d9d7961ccafd75d8267808d814..83afae677003506151d0837d9256ec5d2ff34181 100644 (file)
--- a/cifscreds.1
+++ b/cifscreds.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CIFSCREDS 1"
-.TH CIFSCREDS 1 "2012-01-24" "" ""
+.TH CIFSCREDS 1 "2012-07-17" "" ""
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -186,6 +186,13 @@ different username.
 The cifscreds utility requires a kernel built with support for the
 \&\fBlogin\fR key type. That key type was added in v3.3 in mainline Linux
 kernels.
+.PP
+Since \fBcifscreds\fR adds keys to the session keyring, it is highly
+recommended that one use \fBpam_keyinit\fR to ensure that a session keyring
+is established at login time.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIpam_keyinit\fR\|(8)
 .SH "AUTHORS"
 .IX Header "AUTHORS"
 The cifscreds program was originally developed by Igor Druzhinin

diff --git a/cifscreds.c b/cifscreds.c
index efc76e601cdd86b0976bbfb96bb4a66631e65ab0..bb35c02e5195a17e715d94891b874dae0fdb86a8 100644 (file)
--- a/cifscreds.c
+++ b/cifscreds.c
@@ -28,6 +28,7 @@
 #include <ctype.h>
 #include <keyutils.h>
 #include <getopt.h>
+#include <errno.h>
 #include "mount.h"
 #include "resolve_host.h"
 #include "util.h"
@@ -465,6 +466,36 @@ static int cifscreds_update(struct cmdarg *arg)
        return EXIT_SUCCESS;
 }
 
+static int
+check_session_keyring(void)
+{
+       key_serial_t    ses_key, uses_key;
+
+       ses_key = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
+       if (ses_key == -1) {
+               if (errno == ENOKEY)
+                       fprintf(stderr, "Error: you have no session keyring. "
+                                       "Consider using pam_keyinit to "
+                                       "install one.\n");
+               else
+                       fprintf(stderr, "Error: unable to query session "
+                                       "keyring: %s\n", strerror(errno));
+               return (int)ses_key;
+       }
+
+       /* A problem querying the user-session keyring isn't fatal. */
+       uses_key = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
+       if (uses_key == -1)
+               return 0;
+
+       if (ses_key == uses_key)
+               fprintf(stderr, "Warning: you have no persistent session "
+                               "keyring. cifscreds keys will not persist "
+                               "after this process exits. See "
+                               "pam_keyinit(8).\n");
+       return 0;
+}
+
 int main(int argc, char **argv)
 {
        struct command *cmd, *best;
@@ -535,5 +566,8 @@ int main(int argc, char **argv)
        if (arg.user == NULL)
                arg.user = getusername(getuid());
 
+       if (check_session_keyring())
+               return EXIT_FAILURE;
+
        return best->action(&arg);
 }

diff --git a/cifscreds.pod b/cifscreds.pod
index 17e453f1ed253997f9400b764b66fca099c7c88f..c3bafb597b3d9f5a02d9214e0bc722db026c6b6f 100644 (file)
--- a/cifscreds.pod
+++ b/cifscreds.pod
@@ -79,6 +79,14 @@ The cifscreds utility requires a kernel built with support for the
 B<login> key type. That key type was added in v3.3 in mainline Linux
 kernels.
 
+Since B<cifscreds> adds keys to the session keyring, it is highly
+recommended that one use B<pam_keyinit> to ensure that a session keyring
+is established at login time.
+
+=head1 SEE ALSO
+
+pam_keyinit(8)
+
 =head1 AUTHORS
 
 The cifscreds program was originally developed by Igor Druzhinin