Dear Maintainer,

sudo's pam config doesn't create a new keyring session for the processes
it spawns. This leads to problems with programs that try to add things
to the keyring, because they try to modify the user's keyring, which
even root doesn't have permission to do. An example of this was
mentioned in this previous bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758788#45

It turns out that this works when logged in as root via SSH because this
line in `/etc/pam.d/sshd` sets up a new session keyring for the root
user:


The same line is also present in `/etc/pam.d/runuser-l`, so I've been
working around this problem by running cryptdisks_start via `sudo
runuser -l`, as in:
so on'


Given that it's not useful for a process running on the root user to try to
manipulate the user's session keyring, I think it would make sense for
/etc/pam.d/sudo to force the creation of a new one, or at least for `sudo
-i` to force the creation of a new one via a `/etc/pam.d/sudo-i` config
file, similar to `runuser -l`.

Thanks,
Simon

The pam_keyring(8) manpage advises against adding pam_keyinit

,----
| This module should not, generally, be invoked by programs like su,
| since it is usually desirable for the key set to percolate through to
| the alternate context. The keys have their own permissions system to
| manage this.
`----

However, there's no mentioning of the issue described here.

For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which
contains a line.

,----
| session    optional     pam_keyinit.so revoke
`----

and they also seem to have different intended behavior for interactive
usage – there's a separate /etc/pam.d/sudo-i which contains

,----
| session    optional     pam_keyinit.so force revoke
`----

Cheers,
-Hilko

X-Debbugs-CC: vorlon@debian.org
thanks

So we need to make up our minds whether to follow up the pam_keyinit
maintainers or Red Hat. Maybe the PAM maintainer can comment here?

Greetings
Marc

X-Debbugs-CC: vorlon@debian.org
thanks

So we need to make up our minds whether to follow up the pam_keyinit
maintainers or Red Hat. Maybe the PAM maintainer can comment here?

Greetings
Marc

I guess this is supposed to be pam_keyinit(8) since I do find the text
there.

I would suggest consulting the maintainers of other packages that currently
ship references to pam_keyinit and try to get a consensus with them.  For
example, /etc/pam.d/su-l does reference pam_keyinit in Debian, which seems
like it directly contradicts the above manpage but addresses this exact
issue.  I believe debian-devel is the appropriate for venue for such a
discussion.

I guess this is supposed to be pam_keyinit(8) since I do find the text
there.

I would suggest consulting the maintainers of other packages that currently
ship references to pam_keyinit and try to get a consensus with them.  For
example, /etc/pam.d/su-l does reference pam_keyinit in Debian, which seems
like it directly contradicts the above manpage but addresses this exact
issue.  I believe debian-devel is the appropriate for venue for such a
discussion.

Dear Util-Linux Maintainers,

in sudo, we have currently the situation whether to add calls to
pam_keyinit in our pam configuration files. There is quite a number of
packages doing this, but the pam_keyinit documentation advises "programs
like su" against doing so. However, in Debian, /etc/pam.d/su-l
references pam_keyinit, while /etc/pam.d/su doesn't. On the other hand,
doas doesnt seem to reference pam_keyinit at all.

If sudo goes the way to mimic what su does, we would reference
pam_keyinit in /etc/pam.d/sudo-i which is our form of giving the caller
an interactive session, but not in /etc/pam.d/sudo.

May I ask for you rationale to do things the way you did them for su and
pam_keyinit? Your insights might help us to take a wise decision for
sudo.

Thanks for your help, which is greatly appreciated.

Greetings
Marc

Hello Marc,
Hello Andreas (added to CC:),

* Marc Haber <mh+debian-packages@zugschlus.de> [220206 12:36]:

I do not know why this was done for su-l and not su. My speculation
would be that we have inherited the su-l PAM config from Fedora, and
the su PAM config from src:shadow before 2018. Maybe the distinction
is an accident.

Andreas, you worked on the su takeover from src:shadow. Do you have
insights to share?

I will note that our runuser(-l) PAM config also mirrors this:

runuser:
session              optional        pam_keyinit.so revoke

runuser-l:
session            optional        pam_keyinit.so force revoke


It would appear to me that keyutils and pam_keyinit, and most of the
util-linux PAM config originate in Fedora(/RH). The Fedora folks
are probably the ones to ask how all of this is supposed to work.

Sorry that I cannot add much useful info here.

Chris

Control: tags -1 help
Control: tags 939357 help
thanks

For the record, the Red Hat maintainer of pam_keyinit didn't bother
replying. So the next thing is to follow Steve's advice to reach out to
-devel to get consensus. I have currently other things on my plate and
would not like to open just another issue here, I am therefore
postponing this on my personal schedule.

Other team members or people who want to help, please reach out to
-devel at will. Thanks in advance.

Greetings
Marc

Control: tags -1 help
Control: tags 939357 help
thanks

For the record, the Red Hat maintainer of pam_keyinit didn't bother
replying. So the next thing is to follow Steve's advice to reach out to
-devel to get consensus. I have currently other things on my plate and
would not like to open just another issue here, I am therefore
postponing this on my personal schedule.

Other team members or people who want to help, please reach out to
-devel at will. Thanks in advance.

Greetings
Marc

Hi Chris,

thanks for trying to help back in February.

I'm coming back to this after being busy with other things.

Andreas, did you read this?

Chris,
Can you give me a pointer to whom in Fedora I'm supposed to reach out?

Greetings
Marc

Hi Chris,

thanks for trying to help back in February.

I'm coming back to this after being busy with other things.

Andreas, did you read this?

Chris,
Can you give me a pointer to whom in Fedora I'm supposed to reach out?

Greetings
Marc

Hello Marc, Chris,

Sorry for my late (and possibly pretty lame) reply.
[...]
[...]

I have a very bad memory which is why I try to write down as much as
possible in bug reports, commit messages, etc to leave hints for my
future self. I need to dig to figure things out myself, but I think the
above description is basically correct.

(If there's any message from me that you have a problem with
interpretting what it means, please point me to it and I can try to
interpret my own bad grammar to figure out what I tried to write.)

Regards,
Andreas Henriksson

Hello Marc, Chris,

Sorry for my late (and possibly pretty lame) reply.
[...]
[...]

I have a very bad memory which is why I try to write down as much as
possible in bug reports, commit messages, etc to leave hints for my
future self. I need to dig to figure things out myself, but I think the
above description is basically correct.

(If there's any message from me that you have a problem with
interpretting what it means, please point me to it and I can try to
interpret my own bad grammar to figure out what I tried to write.)

Regards,
Andreas Henriksson