keyrings(7) Miscellaneous Information Manual keyrings(7) keyrings - Linux , , . , ; add_key(2), request_key(2) keyctl(2). . keyctl(1), keyctl(3) keyutils(7). : (ID) , . , (payload) . , , . () -- , ( ), . . (payload) , . , , , , . request_key(2). , . Much as files do, each key has an owning user ID, an owning group ID, and a security label. Each key also has a set of permissions, though there are more than for a normal UNIX file, and there is an additional category--possessor--beyond the usual user, group, and other (see Possession, below). , , . ID . . , EKEYEXPIRED. , , ( ) ENOKEY. . , . , . : "keyring" -- , ( ), . -- , . Keyrings with descriptions (names) that begin with a period ('.') are reserved to the implementation. "user" . . . (blob) 32767 . , , , (: "afs:mykey"). "logon" ( Linux 3.3) "user", (. ., keyctl(2) KEYCTL_READ), . -, . The description of a "logon" key must start with a non-empty colon-delimited prefix whose purpose is to identify the service to which the key belongs. (Note that this differs from keys of the "user" type, where the inclusion of a prefix is recommended but is not enforced.) "big_key" ( Linux 3.13) "user", 1 . Kerberos. tmpfs, , ( . , tmpfs). Linux 4.8, tmpfs , , . , , . Key type names that begin with a period ('.') are reserved to the implementation. , , ( ). . UNIX, . ( ) : , . , . , , . . , . . , -- . . keyctl_clear(3), keyctl_link(3), keyctl_search(3) keyctl_unlink(3). , , . : . , -- , . . , . . , , , . / : session-keyring(7) ( ), process-keyring(7) ( ) thread-keyring(7) ( ). ID add_key(2), keyctl(2) request_key(2) KEY_SPEC_SESSION_KEYRING, KEY_SPEC_PROCESS_KEYRING KEY_SPEC_THREAD_KEYRING, , . UID, , , : user-keyring(7) user-session-keyring(7). UID. ID add_key(2), keyctl(2) request_key(2) KEY_SPEC_USER_KEYRING KEY_SPEC_USER_SESSION_KEYRING, , . pam_keyinit(8) . UID persistent-keyring(7). UID, , , . , , cron(8) , . , . , , . , system keyring . , , . << >> , GID, , , , , . , KEY_SPEC_GROUP_KEYRING. (possession) . : (1) , , . (2) session-keyring(7), process-keyring(7) thread-keyring(7), . (3) - , . (4) , (3) . (5) ( request_key(2)), (1) . , . , set-user-ID, , , , . , UID GID . , pam_keyinit(8) user-keyring(7), . , : o o , o o . . . , : , ID ID . , ID ID GID GID . , ID, ID . : , , . , . , : . , ( ). : . : (), . . : , ( ). ( ): . : , . . , , . , . , Linux(LSM), . LSM ; keyctl_get_security(3). keyctl_chown(3), keyctl_describe(3), keyctl_get_security(3), keyctl_setperm(3) selinux(8). Linux , . request_key(2) ( - ). : (1) The process keyrings are searched in the following order: the thread-keyring(7) if it exists, the process-keyring(7) if it exists, and then either the session-keyring(7) if it exists or the user-session-keyring(7) if that exists. (2) , 9upcall) request_key(2), request_key(2). (3) << >>: , , . (4) , . (5) , . (6) , ; ENOKEY. , (3) (6). request_key(2) keyctl_search(3). , request_key(2), callout_info, . . , request-key(8), , , . , . , -, . request_key(2), keyctl_assume_authority(3), keyctl_instantiate(3), keyctl_negate(3), keyctl_reject(3), request-key(8) request-key.conf(5). /proc /proc , . /proc/keys ( Linux 2.6.10) , , . , . , ( , ). LSM - , . ( ): (1) (2) (3)(4) (5) (6) (7) (8) (9) 009a2028 I--Q--- 1 perm 3f010000 1000 1000 user krb_ccache:primary: 12 1806c4ba I--Q--- 1 perm 3f010000 1000 1000 keyring _pid: 2 25d3a08f I--Q--- 1 perm 1f3f0000 1000 65534 keyring _uid_ses.1000: 1 28576bd8 I--Q--- 3 perm 3f010000 1000 1000 keyring _krb: 1 2c546d21 I--Q--- 190 perm 3f030000 1000 1000 keyring _ses: 2 30a4e0be I------ 4 2d 1f030000 1000 65534 keyring _persistent.1000: 1 32100fab I--Q--- 4 perm 1f3f0000 1000 65534 keyring _uid.1000: 2 32a387ea I--Q--- 1 perm 3f010000 1000 1000 keyring _pid: 2 3ce56aea I--Q--- 5 perm 3f030000 1000 1000 keyring _ses: 1 : (1) ( ) ( ). (2) , : I . R . D (dead, . ., . ). Q . U ; request-key(2). N . i . (3) , (pinning) (: , ). (4) , - (, , , ). perm , (). expd , , . (5) , , , , , . : 0x01 0x02 0x04 0x08 0x10 0x20 UID (6) . GID (7) . -1 , ; . (8) (, . .) (9) (). . name[: extra-info] (). . : "user" "logon" ( ). "keyring" empty, . "big_key" , [file], ( ) tmpfs(5), [buff], . ".request_key_auth" ( ; request_key(2)) , : key:c9a9b19 pid:28880 ci:10 : key , . pid PID . ci (callout data), (. ., , ). /proc/key-users ( Linux 2.6.10) ID, . : 0: 10 9/9 2/1000000 22/25000000 42: 9 9/9 8/200 106/20000 1000: 11 11/11 10/200 271/20000 : uid . usage . nkeys/nikeys , , . qnkeys/maxkeys , , , . qnbytes/maxbytes , , , . /proc/sys/kernel/keys/gc_delay ( Linux 2.6.32) , . , (EKEYREVOKED EKEYEXPIRED, ), . 300 (. ., 5 ). /proc/sys/kernel/keys/persistent_keyring_expiry ( Linux 3.13) , ( keyctl_get_persistent(3) keyctl(2) KEYCTL_GET_PERSISTENT). 259200 (. ., 3 ). ( ) , : /proc/sys/kernel/keys/maxbytes ( Linux 2.6.26) , . 20000. /proc/sys/kernel/keys/maxkeys ( Linux 2.6.26) , . 200. /proc/sys/kernel/keys/root_maxbytes ( Linux 2.6.26) , ( UID 0 ) . 25000000 (20000 Linux 3.17). /proc/sys/kernel/keys/root_maxkeys ( Linux 2.6.26) , ( UID 0 ) . 1000000 (200 Linux 3.17). , 4 . Linux , . : -- DNS (upcall), , DNS . AF_RXRPC kAFS -- AF_RXRPC AFS , . AF_RXRPC kAFS. NFS -- NFS . CIFS -- CIFS . . . : Kerberos MIT Kerberos 5 (libkrb5) , , , cron(8). . keyctl(1), add_key(2), keyctl(2), request_key(2), keyctl(3), keyutils(7), persistent-keyring(7), process-keyring(7), session-keyring(7), thread-keyring(7), user-keyring(7), user-session-keyring(7), pam_keyinit(8), request-key(8) Documentation/crypto/asymmetric-keys.txt Documentation/security/keys (, Linux 4.13, Documentation/security/keys.txt). Alex Nik , Azamat Hackimov , Yuri Kozlov ; GNU 3 , . . , , . Linux man-pages 6.06 31 2023 . keyrings(7)