| blob | 3b9a008708cdef61dd0ec08a1ec77567361d0b1d |
1 .\"
2 .\" Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
3 .\" Written by David Howells (dhowells@redhat.com)
4 .\"
5 .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
6 .\" This program is free software; you can redistribute it and/or
7 .\" modify it under the terms of the GNU General Public License
8 .\" as published by the Free Software Foundation; either version
9 .\" 2 of the License, or (at your option) any later version.
10 .\" %%%LICENSE_END
11 .\"
12 .TH SESSION-KEYRING 7 2017-09-15 Linux "Linux Programmer's Manual"
13 .SH NAME
14 session-keyring \- session shared process keyring
15 .SH DESCRIPTION
16 The session keyring is a keyring used to anchor keys on behalf of a process.
17 It is typically created by
18 .BR pam_keyinit (8)
19 when a user logs in and a link will be added that refers to the
20 .BR user-keyring (7).
21 Optionally, PAM may revoke the session keyring on logout.
22 (In typical configurations, PAM does do this revocation.)
23 The session keyring has the name (description)
24 .IR _ses .
25 .PP
26 A special serial number value,
27 .BR KEY_SPEC_SESSION_KEYRING ,
28 is defined that can be used in lieu of the actual serial number of
29 the calling process's session keyring.
30 .PP
31 From the
32 .BR keyctl (1)
33 utility, '\fB@s\fP' can be used instead of a numeric key ID in
34 much the same way.
35 .PP
36 A process's session keyring is inherited across
37 .BR clone (2),
38 .BR fork (2),
39 and
40 .BR vfork (2).
41 The session keyring
42 is preserved across
43 .BR execve (2),
44 even when the executable is set-user-ID or set-group-ID or has capabilities.
45 The session keyring is destroyed when the last process that
46 refers to it exits.
47 .PP
48 If a process doesn't have a session keyring when it is accessed, then,
49 under certain circumstances, the
50 .BR user-session-keyring (7)
51 will be attached as the session keyring
52 and under others a new session keyring will be created.
53 (See
54 .BR user-session-keyring (7)
55 for further details.)
56 .SS Special operations
57 The
58 .I keyutils
59 library provides the following special operations for manipulating
60 session keyrings:
61 .TP
62 .BR keyctl_join_session_keyring (3)
63 This operation allows the caller to change the session keyring
64 that it subscribes to.
65 The caller can join an existing keyring with a specified name (description),
66 create a new keyring with a given name,
67 or ask the kernel to create a new "anonymous"
68 session keyring with the name "_ses".
69 (This function is an interface to the
70 .BR keyctl (2)
71 .B KEYCTL_JOIN_SESSION_KEYRING
72 operation.)
73 .TP
74 .BR keyctl_session_to_parent (3)
75 This operation allows the caller to make the parent process's
76 session keyring to the same as its own.
77 For this to succeed, the parent process must have
78 identical security attributes and must be single threaded.
79 (This function is an interface to the
80 .BR keyctl (2)
81 .B KEYCTL_SESSION_TO_PARENT
82 operation.)
83 .PP
84 These operations are also exposed through the
85 .BR keyctl (1)
86 utility as:
87 .PP
88 .in +4n
89 .EX
90 keyctl session
91 keyctl session - [<prog> <arg1> <arg2> ...]
92 keyctl session <name> [<prog> <arg1> <arg2> ...]
93 .EE
94 .in
95 .PP
96 and:
97 .PP
98 .in +4n
99 .EX
100 keyctl new_session
101 .EE
102 .in
103 .SH SEE ALSO
104 .ad l
105 .nh
106 .BR keyctl (1),
107 .BR keyctl (3),
108 .BR keyctl_join_session_keyring (3),
109 .BR keyctl_session_to_parent (3),
110 .BR keyrings (7),
111 .BR persistent\-keyring (7),
112 .BR process\-keyring (7),
113 .BR thread\-keyring (7),
114 .BR user\-keyring (7),
115 .BR user\-session\-keyring (7),
116 .BR pam_keyinit (8)