Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

persistent-keyring(7) [linux man page]

PERSISTENT-KEYRING(7)					     Linux Programmer's Manual					     PERSISTENT-KEYRING(7)

NAME

       persistent-keyring - per-user persistent keyring

DESCRIPTION

       The persistent keyring is a keyring used to anchor keys on behalf of a user.  Each UID the kernel deals with has its own persistent keyring
       that is shared between all threads owned by that UID.  The persistent keyring has a name (description) of the form _persistent.<UID>  where
       <UID> is the user ID of the corresponding user.

       The  persistent	keyring may not be accessed directly, even by processes with the appropriate UID.  Instead, it must first be linked to one
       of a process's keyrings, before that keyring can access the persistent keyring by virtue of its possessor permits.  This  linking  is  done
       with the keyctl_get_persistent(3) function.

       If a persistent keyring does not exist when it is accessed by the keyctl_get_persistent(3) operation, it will be automatically created.

       Each time the keyctl_get_persistent(3) operation is performed, the persistent key's expiration timer is reset to the value in:

	   /proc/sys/kernel/keys/persistent_keyring_expiry

       Should  the  timeout be reached, the persistent keyring will be removed and everything it pins can then be garbage collected.  The key will
       then be re-created on a subsequent call to keyctl_get_persistent(3).

       The persistent keyring is not directly searched by request_key(2); it is searched only if it is linked into one of  the	keyrings  that	is
       searched by request_key(2).

       The  persistent	keyring  is  independent  of clone(2), fork(2), vfork(2), execve(2), and _exit(2).  It persists until its expiration timer
       triggers, at which point it is garbage collected.  This allows the persistent keyring to carry keys beyond the life of the kernel's  record
       of the corresponding UID (the destruction of which results in the destruction of the user-keyring(7) and the user-session-keyring(7)).  The
       persistent keyring can thus be used to hold authentication tokens for processes that run without user interaction, such as programs started
       by cron(8).

       The  persistent	keyring  is  used  to store UID-specific objects that themselves have limited lifetimes (e.g., kerberos tokens).  If those
       tokens cease to be used (i.e., the persistent keyring is not accessed), then the timeout of the persistent keyring ensures that the  corre-
       sponding objects are automatically discarded.

   Special operations
       The  keyutils  library provides the keyctl_get_persistent(3) function for manipulating persistent keyrings.  (This function is an interface
       to the keyctl(2) KEYCTL_GET_PERSISTENT operation.)  This operation allows the calling thread to get the persistent keyring corresponding to
       its own UID or, if the thread has the CAP_SETUID capability, the persistent keyring corresponding to some other UID in the same user names-
       pace.

NOTES

       Each user namespace owns a keyring called .persistent_register that contains links to all of the persistent keys in that  namespace.   (The
       .persistent_register  keyring  can  be  seen  when  reading  the  contents  of  the  /proc/keys	file for the UID 0 in the namespace.)  The
       keyctl_get_persistent(3) operation looks for a key with a name of the form _persistent.<UID> in that keyring, creates the key  if  it  does
       not exist, and links it into the keyring.

SEE ALSO

       keyctl(1), keyctl(3), keyctl_get_persistent(3), keyrings(7), process-keyring(7), session-keyring(7), thread-keyring(7), user-keyring(7),
       user-session-keyring(7)

Linux								    2017-03-13						     PERSISTENT-KEYRING(7)

Check Out this Related Man Page

SESSION-KEYRING(7)					     Linux Programmer's Manual						SESSION-KEYRING(7)

NAME

       session-keyring - session shared process keyring

DESCRIPTION

       The session keyring is a keyring used to anchor keys on behalf of a process.  It is typically created by pam_keyinit(8) when a user logs in
       and a link will be added that refers to the user-keyring(7).  Optionally, PAM may revoke the session keyring on logout.	(In  typical  con-
       figurations, PAM does do this revocation.)  The session keyring has the name (description) _ses.

       A  special  serial  number  value, KEY_SPEC_SESSION_KEYRING, is defined that can be used in lieu of the actual serial number of the calling
       process's session keyring.

       From the keyctl(1) utility, '@s' can be used instead of a numeric key ID in much the same way.

       A process's session keyring is inherited across clone(2), fork(2), and vfork(2).  The session keyring is preserved across  execve(2),  even
       when the executable is set-user-ID or set-group-ID or has capabilities.	The session keyring is destroyed when the last process that refers
       to it exits.

       If a process doesn't have a session keyring when it is accessed, then, under certain circumstances,  the  user-session-keyring(7)  will	be
       attached as the session keyring and under others a new session keyring will be created.	(See user-session-keyring(7) for further details.)

   Special operations
       The keyutils library provides the following special operations for manipulating session keyrings:

       keyctl_join_session_keyring(3)
	      This  operation allows the caller to change the session keyring that it subscribes to.  The caller can join an existing keyring with
	      a specified name (description), create a new keyring with a given name, or ask the  kernel  to  create  a  new  "anonymous"  session
	      keyring with the name "_ses".  (This function is an interface to the keyctl(2) KEYCTL_JOIN_SESSION_KEYRING operation.)

       keyctl_session_to_parent(3)
	      This operation allows the caller to make the parent process's session keyring to the same as its own.  For this to succeed, the par-
	      ent process must have identical security attributes and must be single threaded.	(This function is an interface	to  the  keyctl(2)
	      KEYCTL_SESSION_TO_PARENT operation.)

       These operations are also exposed through the keyctl(1) utility as:

	   keyctl session
	   keyctl session - [<prog> <arg1> <arg2> ...]
	   keyctl session <name> [<prog> <arg1> <arg2> ...]

       and:

	   keyctl new_session

SEE ALSO

       keyctl(1), keyctl(3), keyctl_join_session_keyring(3), keyctl_session_to_parent(3), keyrings(7), persistent-keyring(7), process-keyring(7),
       thread-keyring(7), user-keyring(7), user-session-keyring(7), pam_keyinit(8)

Linux								    2017-09-15							SESSION-KEYRING(7)
Man Page