suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man7/persistent-keyring.7.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

209 lines
6.2 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of PERSISTENT-KEYRING</TITLE>
</HEAD><BODY>
<H1>PERSISTENT-KEYRING</H1>
Section: Linux Programmer's Manual (7)<BR>Updated: 2017-03-13<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
persistent-keyring - per-user persistent keyring
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>
The persistent keyring is a keyring used to anchor keys on behalf of a user.
Each UID the kernel deals with has its own persistent keyring that
is shared between all threads owned by that UID.
The persistent keyring has a name (description) of the form
<I>_persistent.&lt;UID&gt;</I>
where
<I>&lt;UID&gt;</I>
is the user ID of the corresponding user.
<P>
The persistent keyring may not be accessed directly,
even by processes with the appropriate UID.
Instead, it must first be linked to one of a process's keyrings,
before that keyring can access the persistent keyring
by virtue of its possessor permits.
This linking is done with the
<B><A HREF="/cgi-bin/man/man2html?3+keyctl_get_persistent">keyctl_get_persistent</A></B>(3)
function.
<P>
If a persistent keyring does not exist when it is accessed by the
<B><A HREF="/cgi-bin/man/man2html?3+keyctl_get_persistent">keyctl_get_persistent</A></B>(3)
operation, it will be automatically created.
<P>
Each time the
<B><A HREF="/cgi-bin/man/man2html?3+keyctl_get_persistent">keyctl_get_persistent</A></B>(3)
operation is performed,
the persistent key's expiration timer is reset to the value in:
<P>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;/proc/sys/kernel/keys/persistent_keyring_expiry
<P>
Should the timeout be reached,
the persistent keyring will be removed and
everything it pins can then be garbage collected.
The key will then be re-created on a subsequent call to
<B><A HREF="/cgi-bin/man/man2html?3+keyctl_get_persistent">keyctl_get_persistent</A></B>(3).
<P>
The persistent keyring is not directly searched by
<B><A HREF="/cgi-bin/man/man2html?2+request_key">request_key</A></B>(2);
it is searched only if it is linked into one of the keyrings
that is searched by
<B><A HREF="/cgi-bin/man/man2html?2+request_key">request_key</A></B>(2).
<P>
The persistent keyring is independent of
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?2+fork">fork</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?2+vfork">vfork</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?2+execve">execve</A></B>(2),
and
<B><A HREF="/cgi-bin/man/man2html?2+_exit">_exit</A></B>(2).
It persists until its expiration timer triggers,
at which point it is garbage collected.
This allows the persistent keyring to carry keys beyond the life of
the kernel's record of the corresponding UID
(the destruction of which results in the destruction of the
<B><A HREF="/cgi-bin/man/man2html?7+user-keyring">user-keyring</A></B>(7)
and the
<B><A HREF="/cgi-bin/man/man2html?7+user-session-keyring">user-session-keyring</A></B>(7)).
The persistent keyring can thus be used to
hold authentication tokens for processes that run without user interaction,
such as programs started by
<B><A HREF="/cgi-bin/man/man2html?8+cron">cron</A></B>(8).
<P>
The persistent keyring is used to store UID-specific objects that
themselves have limited lifetimes (e.g., kerberos tokens).
If those tokens cease to be used
(i.e., the persistent keyring is not accessed),
then the timeout of the persistent keyring ensures that
the corresponding objects are automatically discarded.
<A NAME="lbAD">&nbsp;</A>
<H3>Special operations</H3>
The
<I>keyutils</I>
library provides the
<B><A HREF="/cgi-bin/man/man2html?3+keyctl_get_persistent">keyctl_get_persistent</A></B>(3)
function for manipulating persistent keyrings.
(This function is an interface to the
<B><A HREF="/cgi-bin/man/man2html?2+keyctl">keyctl</A></B>(2)
<B>KEYCTL_GET_PERSISTENT</B>
operation.)
This operation allows the calling thread to get the persistent keyring
corresponding to its own UID or, if the thread has the
<B>CAP_SETUID</B>
capability, the persistent keyring corresponding to some other UID
in the same user namespace.
<A NAME="lbAE">&nbsp;</A>
<H2>NOTES</H2>
Each user namespace owns a keyring called
<I>.persistent_register</I>
that contains links to all of the persistent keys in that namespace.
(The
<I>.persistent_register</I>
keyring can be seen when reading the contents of the
<I>/proc/keys</I>
file for the UID 0 in the namespace.)
The
<B><A HREF="/cgi-bin/man/man2html?3+keyctl_get_persistent">keyctl_get_persistent</A></B>(3)
operation looks for a key with a name of the form
<I>_persistent.&lt;UID&gt;</I>
in that keyring,
creates the key if it does not exist, and links it into the keyring.
<A NAME="lbAF">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?1+keyctl">keyctl</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?3+keyctl">keyctl</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?3+keyctl_get_persistent">keyctl_get_persistent</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?7+keyrings">keyrings</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?7+process-keyring">process-keyring</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?7+session-keyring">session-keyring</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?7+thread-keyring">thread-keyring</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?7+user-keyring">user-keyring</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?7+user-session-keyring">user-session-keyring</A></B>(7)
<A NAME="lbAG">&nbsp;</A>
<H2>COLOPHON</H2>
This page is part of release 5.05 of the Linux
<I>man-pages</I>
project.
A description of the project,
information about reporting bugs,
and the latest version of this page,
can be found at
<A HREF="https://www.kernel.org/doc/man-pages/.">https://www.kernel.org/doc/man-pages/.</A>
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="1"><A HREF="#lbAB">NAME</A><DD>
<DT id="2"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DL>
<DT id="3"><A HREF="#lbAD">Special operations</A><DD>
</DL>
<DT id="4"><A HREF="#lbAE">NOTES</A><DD>
<DT id="5"><A HREF="#lbAF">SEE ALSO</A><DD>
<DT id="6"><A HREF="#lbAG">COLOPHON</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:09 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink