[pbs-devel] [PATCH backup v3 1/2] http_client: store tickets in the user's config directory

[Thomas Lamprecht]

Am 18.04.25 um 14:47 schrieb Maximiliano Sandoval:
> Regarding kernel keyring or systemd creds, at least the later requires
> root access as of debian 12. An issue common to these three mechanisms
> is that they all make assumptions about permissions, the backup client
> could be run as an arbitrary user which might not have permissions to
> any of /run, the keyring, nor the system credentials.

The kernel keyring does not read root, it works as every user and has
a per user (uid) keyring as one of it default keyrings, which makes it
quite neat and normally exactly the right choice for such stuff.

You can use the keyctl as CLI tool to experiment with the keyring without
having to write a program using the syscalls directly.

The following example works just fine a standard user, as it should work
for every UID on the system. It adds a user key named "test" in the "@u"
uid keyring:

  keyctl add user test "super secure ticket" @u

It returns the key serial number (ID), but you can also list the keys
from a keyring:

  keyctl list @u


Or search by name:

  keyctl search @u user test

And then use the serial number to read the content, e.g.:

  keyctl print 304368094

The only "downside" is that it won't survive a reboot, so if a user
frequently reboots but would like to stay logged in then this won't
work, but tbh. I'd just tell them: though luck, use an API token and
handle passing it yourself in that case that is IMO rather.

I'd not be surprised if Wolfgang either has rust code for accessing
the keyring nicely or maybe knows a sane and current crate for that.
In any case, this seems like a much nicer solution all around to me,
but I naturally could have overlooked some drawback.