Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

user-session-keyring(7) [linux man page]

USER-SESSION-KEYRING(7) 				     Linux Programmer's Manual					   USER-SESSION-KEYRING(7)

NAME

       user-session-keyring - per-user default session keyring

DESCRIPTION

       The  user  session  keyring  is a keyring used to anchor keys on behalf of a user.  Each UID the kernel deals with has its own user session
       keyring that is shared by all processes with that UID.  The user session keyring has a name (description) of the form _uid_ses.<UID>  where
       <UID> is the user ID of the corresponding user.

       The  user  session  keyring  is	associated  with the record that the kernel maintains for the UID.  It comes into existence upon the first
       attempt to access either the user session keyring, the user-keyring(7), or the session-keyring(7).  The keyring remains pinned in existence
       so  long as there are processes running with that real UID or files opened by those processes remain open.  (The keyring can also be pinned
       indefinitely by linking it into another keyring.)

       The user session keyring is created on demand when a thread requests it or when a thread asks for its session-keyring(7) and  that  keyring
       doesn't	exist.	In the latter case, a user session keyring will be created and, if the session keyring wasn't to be created, the user ses-
       sion keyring will be set as the process's actual session keyring.

       The user session keyring is searched by request_key(2) if the actual session keyring does not exist and is ignored otherwise.

       A special serial number value, KEY_SPEC_USER_SESSION_KEYRING, is defined that can be used in lieu of the actual serial number of the  call-
       ing process's user session keyring.

       From the keyctl(1) utility, '@us' can be used instead of a numeric key ID in much the same way.

       User  session keyrings are independent of clone(2), fork(2), vfork(2), execve(2), and _exit(2) excepting that the keyring is destroyed when
       the UID record is destroyed when the last process pinning it exits.

       If a user session keyring does not exist when it is accessed, it will be created.

       Rather than relying on the user session keyring, it is strongly recommended--especially if the process is running as root--that a  session-
       keyring(7) be set explicitly, for example by pam_keyinit(8).

NOTES

       The user session keyring was added to support situations where a process doesn't have a session keyring, perhaps because it was created via
       a pathway that didn't involve PAM (e.g., perhaps it was a daemon started by inetd(8)).  In such a scenario, the user session  keyring  acts
       as a substitute for the session-keyring(7).

SEE ALSO

       keyctl(1), keyctl(3), keyrings(7), persistent-keyring(7), process-keyring(7), session-keyring(7), thread-keyring(7), user-keyring(7)

Linux								    2017-03-13						   USER-SESSION-KEYRING(7)

Check Out this Related Man Page

SESSION-KEYRING(7)					     Linux Programmer's Manual						SESSION-KEYRING(7)

NAME

       session-keyring - session shared process keyring

DESCRIPTION

       The session keyring is a keyring used to anchor keys on behalf of a process.  It is typically created by pam_keyinit(8) when a user logs in
       and a link will be added that refers to the user-keyring(7).  Optionally, PAM may revoke the session keyring on logout.	(In  typical  con-
       figurations, PAM does do this revocation.)  The session keyring has the name (description) _ses.

       A  special  serial  number  value, KEY_SPEC_SESSION_KEYRING, is defined that can be used in lieu of the actual serial number of the calling
       process's session keyring.

       From the keyctl(1) utility, '@s' can be used instead of a numeric key ID in much the same way.

       A process's session keyring is inherited across clone(2), fork(2), and vfork(2).  The session keyring is preserved across  execve(2),  even
       when the executable is set-user-ID or set-group-ID or has capabilities.	The session keyring is destroyed when the last process that refers
       to it exits.

       If a process doesn't have a session keyring when it is accessed, then, under certain circumstances,  the  user-session-keyring(7)  will	be
       attached as the session keyring and under others a new session keyring will be created.	(See user-session-keyring(7) for further details.)

   Special operations
       The keyutils library provides the following special operations for manipulating session keyrings:

       keyctl_join_session_keyring(3)
	      This  operation allows the caller to change the session keyring that it subscribes to.  The caller can join an existing keyring with
	      a specified name (description), create a new keyring with a given name, or ask the  kernel  to  create  a  new  "anonymous"  session
	      keyring with the name "_ses".  (This function is an interface to the keyctl(2) KEYCTL_JOIN_SESSION_KEYRING operation.)

       keyctl_session_to_parent(3)
	      This operation allows the caller to make the parent process's session keyring to the same as its own.  For this to succeed, the par-
	      ent process must have identical security attributes and must be single threaded.	(This function is an interface	to  the  keyctl(2)
	      KEYCTL_SESSION_TO_PARENT operation.)

       These operations are also exposed through the keyctl(1) utility as:

	   keyctl session
	   keyctl session - [<prog> <arg1> <arg2> ...]
	   keyctl session <name> [<prog> <arg1> <arg2> ...]

       and:

	   keyctl new_session

SEE ALSO

       keyctl(1), keyctl(3), keyctl_join_session_keyring(3), keyctl_session_to_parent(3), keyrings(7), persistent-keyring(7), process-keyring(7),
       thread-keyring(7), user-keyring(7), user-session-keyring(7), pam_keyinit(8)

Linux								    2017-09-15							SESSION-KEYRING(7)
Man Page