[pbs-devel] [PATCH backup v3 1/2] http_client: store tickets in the user's config directory
Maximiliano Sandoval
m.sandoval at proxmox.com
Fri Apr 18 15:20:29 CEST 2025
Thomas Lamprecht <t.lamprecht at proxmox.com> writes:
> Am 18.04.25 um 14:47 schrieb Maximiliano Sandoval:
>> Regarding kernel keyring or systemd creds, at least the later requires
>> root access as of debian 12. An issue common to these three mechanisms
>> is that they all make assumptions about permissions, the backup client
>> could be run as an arbitrary user which might not have permissions to
>> any of /run, the keyring, nor the system credentials.
>
> The kernel keyring does not read root, it works as every user and has
> a per user (uid) keyring as one of it default keyrings, which makes it
> quite neat and normally exactly the right choice for such stuff.
>
Interesting. I will take a look.
>
> You can use the keyctl as CLI tool to experiment with the keyring without
> having to write a program using the syscalls directly.
>
> The following example works just fine a standard user, as it should work
> for every UID on the system. It adds a user key named "test" in the "@u"
> uid keyring:
>
> keyctl add user test "super secure ticket" @u
>
> It returns the key serial number (ID), but you can also list the keys
> from a keyring:
>
> keyctl list @u
>
>
> Or search by name:
>
> keyctl search @u user test
>
> And then use the serial number to read the content, e.g.:
>
> keyctl print 304368094
>
> The only "downside" is that it won't survive a reboot, so if a user
Not an issue in this particular case, as the current approach won't
survive the user logging out either.
> frequently reboots but would like to stay logged in then this won't
> work, but tbh. I'd just tell them: though luck, use an API token and
> handle passing it yourself in that case that is IMO rather.
>
> I'd not be surprised if Wolfgang either has rust code for accessing
> the keyring nicely or maybe knows a sane and current crate for that.
> In any case, this seems like a much nicer solution all around to me,
> but I naturally could have overlooked some drawback.
Regarding the system credentials, it is also possible to use them as a
regular user on newer systemd versions (than the one offered by Debian
12), however I have not read yet about what security guarantees they
offer.
More information about the pbs-devel
mailing list