summaryrefslogtreecommitdiff
path: root/keyctl.1
blob: ee8e9824af7ac85338e2435a8fd6998f6cb1a61d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
.\"
.\" Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells@redhat.com)
.\"
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\"
.TH KEYCTL 1 "17 Nov 2005" Linux "Linux Key Management Utilities"
.SH NAME
keyctl - Key management facility control
.SH SYNOPSIS
\fBkeyctl\fR show
.br
\fBkeyctl\fR add <type> <desc> <data> <keyring>
.br
\fBkeyctl\fR padd <type> <desc> <keyring>
.br
\fBkeyctl\fR request <type> <desc> [<dest_keyring>]
.br
\fBkeyctl\fR request2 <type> <desc> <info> [<dest_keyring>]
.br
\fBkeyctl\fR prequest2 <type> <desc> [<dest_keyring>]
.br
\fBkeyctl\fR update <key> <data>
.br
\fBkeyctl\fR pupdate <key>
.br
\fBkeyctl\fR newring <name> <keyring>
.br
\fBkeyctl\fR revoke <key>
.br
\fBkeyctl\fR clear <keyring>
.br
\fBkeyctl\fR link <key> <keyring>
.br
\fBkeyctl\fR unlink <key> <keyring>
.br
\fBkeyctl\fR search <keyring> <type> <desc> [<dest_keyring>]
.br
\fBkeyctl\fR read <key>
.br
\fBkeyctl\fR pipe <key>
.br
\fBkeyctl\fR print <key>
.br
\fBkeyctl\fR list <keyring>
.br
\fBkeyctl\fR rlist <keyring>
.br
\fBkeyctl\fR describe <keyring>
.br
\fBkeyctl\fR rdescribe <keyring> [sep]
.br
\fBkeyctl\fR chown <key> <uid>
.br
\fBkeyctl\fR chgrp <key> <gid>
.br
\fBkeyctl\fR setperm <key> <mask>
.br
\fBkeyctl\fR session
.br
\fBkeyctl\fR session - [<prog> <arg1> <arg2> ...]
.br
\fBkeyctl\fR session <name> [<prog> <arg1> <arg2> ...]
.br
\fBkeyctl\fR instantiate <key> <data> <keyring>
.br
\fBkeyctl\fR pinstantiate <key> <keyring>
.br
\fBkeyctl\fR negate <key> <timeout> <keyring>
.br
\fBkeyctl\fR timeout <key> <timeout>
.br
\fBkeyctl\fR security <key>
.SH DESCRIPTION
This program is used to control the key management facility in various ways
using a variety of subcommands.
.SH KEY IDENTIFIERS
.P
The key identifiers passed to or returned from keyctl are, in general, positive
integers. There are, however, some special values with special meanings that
can be passed as arguments:
.P
(*) No key: \fB0\fR
.P
(*) Thread keyring: \fB@t\fR or \fB-1\fR
.P
Each thread may have its own keyring. This is searched first, before all
others. The thread keyring is replaced by (v)fork, exec and clone.
.P
(*) Process keyring: \fB@p\fR or \fB-2\fR
.P
Each process (thread group) may have its own keyring. This is shared between
all members of a group and will be searched after the thread keyring. The
process keyring is replaced by (v)fork and exec.
.P
(*) Session keyring: \fB@s\fR or \fB-3\fR
.P
Each process subscribes to a session keyring that is inherited across (v)fork,
exec and clone. This is searched after the process keyring. Session keyrings
can be named and an extant keyring can be joined in place of a process's
current session keyring.
.P
(*) User specific keyring: \fB@u\fR or \fB-4\fR
.P
This keyring is shared between all the processes owned by a particular user. It
isn't searched directly, but is normally linked to from the session keyring.
.P
(*) User default session keyring: \fB@us\fR or \fB-5\fR
.P
This is the default session keyring for a particular user. Login processes that
change to a particular user will bind to this session until another session is
set.
.P
(*) Group specific keyring: \fB@g\fR or \fB-6\fR
.P
This is a place holder for a group specific keyring, but is not actually
implemented yet in the kernel.
.P
(*) Assumed request_key authorisation key: \fB@a\fR or \fB-7\fR
.P
This selects the authorisation key provided to the request_key() helper to
permit it to access the callers keyrings and instantiate the target key.
.SH COMMAND SYNTAX
Any non-ambiguous shortening of a command name may be used in lieu of the full
command name. This facility should not be used in scripting as new commands may
be added in future that then cause ambiguity.
.P
(*) \fBShow process keyrings\fR
.P
\fBkeyctl show\fR
.P
This command recursively shows what keyrings a process is subscribed to and
what keys and keyrings they contain.
.P
(*) \fBAdd a key to a keyring\fR
.P
\fBkeyctl add\fR <type> <desc> <data> <keyring>
.br
\fBkeyctl padd\fR <type> <desc> <keyring>
.P
This command creates a key of the specified type and description; instantiates
it with the given data and attaches it to the specified keyring. It then prints
the new key's ID on stdout:
.P
.RS
testbox>keyctl add user mykey stuff @u
.br
26
.RE
.P
The \fBpadd\fR variant of the command reads the data from stdin rather than
taking it from the command line:
.P
.RS
testbox>echo -n stuff | keyctl padd user mykey @u
.br
26
.RE
.P
(*) \fBRequest a key\fR
.P
\fBkeyctl request\fR <type> <desc> [<dest_keyring>]
.br
\fBkeyctl request2\fR <type> <desc> <info> [<dest_keyring>]
.br
\fBkeyctl prequest2\fR <type> <desc> [<dest_keyring>]
.P
These three commands request the lookup of a key of the given type and
description. The process's keyrings will be searched, and if a match is found
the matching key's ID will be printed to stdout; and if a destination keyring
is given, the key will be added to that keyring also.
.P
If there is no key, the first command will simply return the error ENOKEY and
fail. The second and third commands will create a partial key with the type and
description, and call out to \fB/sbin/request-key\fR with that key and the
extra information supplied. This will then attempt to instantiate the key in
some manner, such that a valid key is obtained.
.P
The third command is like the second, except that the callout information is
read from stdin rather than being passed on the command line.
.P
If a valid key is obtained, the ID will be printed and the key attached as if
the original search had succeeded.
.P
If there wasn't a valid key obtained, a temporary negative key will be attached
to the destination keyring if given and the error "Requested key not available"
will be given.
.P
.RS
testbox>keyctl request2 user debug:hello wibble
.br
23
.br
testbox>echo -n wibble | keyctl prequest2 user debug:hello
.br
23
.br
testbox>keyctl request user debug:hello
.br
23
.RE
.P
(*) \fBUpdate a key\fR
.P
\fBkeyctl update\fR <key> <data>
.br
\fBkeyctl pupdate\fR <key>
.P
This command replaces the data attached to a key with a new set of data. If the
type of the key doesn't support update then error "Operation not supported"
will be returned.
.P
.RS
testbox>keyctl update 23 zebra
.RE
.P
The \fBpupdate\fR variant of the command reads the data from stdin rather than
taking it from the command line:
.P
.RS
testbox>echo -n zebra | keyctl pupdate 23
.RE
.P
(*) \fBCreate a keyring\fR
.P
\fBkeyctl newring\fR <name> <keyring>
.P
This command creates a new keyring of the specified name and attaches it to the
specified keyring. The ID of the new keyring will be printed to stdout if
successful.
.P
.RS
testbox>keyctl newring squelch @us
.br
27
.RE
.P
(*) \fBRevoke a key\fR
.P
\fBkeyctl revoke\fR <key>
.P
This command marks a key as being revoked. Any further operations on that key
(apart from unlinking it) will return error "Key has been revoked".
.P
.RS
testbox>keyctl revoke 26
.br
testbox>keyctl describe 26
.br
keyctl_describe: Key has been revoked
.RE
.P
(*) \fBClear a keyring\fR
.P
\fBkeyctl clear\fR <keyring>
.P
This command unlinks all the keys attached to the specified keyring. Error
"Not a directory" will be returned if the key specified is not a keyring.
.P
.RS
testbox>keyctl clear 27
.RE
.P
(*) \fBLink a key to a keyring\fR
.P
\fBkeyctl link\fR <key> <keyring>
.P
This command makes a link from the key to the keyring if there's enough
capacity to do so. Error "Not a directory" will be returned if the destination
is not a keyring. Error "Permission denied" will be returned if the key doesn't
have link permission or the keyring doesn't have write permission. Error "File
table overflow" will be returned if the keyring is full. Error "Resource
deadlock avoided" will be returned if an attempt was made to introduce a
recursive link.
.P
.RS
testbox>keyctl link 23 27
.br
testbox>keyctl link 27 27
.br
keyctl_link: Resource deadlock avoided
.RE
.P
(*) \fBUnlink a key from a keyring\fR
.P
\fBkeyctl unlink\fR <key> <keyring>
.P
This command removes a link to the key from the keyring. Error "Not a
directory" will be returned if the destination is not a keyring. Error
"Permission denied" will be returned if the keyring doesn't have write
permission. Error "No such file or directory" will be returned if the key is
not linked to by the keyring.
.P
Note that this only removes one key link from the keyring; any further links to
the same key are not deleted.
.P
.RS
testbox>keyctl unlink 23 27
.RE
.P
(*) \fBSearch a keyring\fR
.P
\fBkeyctl search\fR <keyring> <type> <desc> [<dest_keyring>]
.P
This command non-recursively searches a keyring for a key of a particular type
and description. If found, the ID of the key will be printed on stdout and the
key will be attached to the destination keyring if present. Error "Requested
key not available" will be returned if the key is not found.
.P
.RS
testbox>keyctl search @us user debug:hello
.br
23
.br
testbox>keyctl search @us user debug:bye
.br
keyctl_search: Requested key not available
.RE
.P
(*) \fBRead a key\fR
.P
\fBkeyctl read\fR <key>
.br
\fBkeyctl pipe\fR <key>
.br
\fBkeyctl print\fR <key>
.P
These commands read the payload of a key. "read" prints it on stdout as a hex
dump, "pipe" dumps the raw data to stdout and "print" dumps it to stdout
directly if it's entirely printable or as a hexdump preceded by ":hex:" if not.
.P
If the key type does not support reading of the payload, then error "Operation
not supported" will be returned.
.P
.RS
testbox>keyctl read 26
.br
1 bytes of data in key:
.br
62
.br
testbox>keyctl print 26
.br
b
.br
testbox>keyctl pipe 26
.br
btestbox>
.RE
.P
(*) \fBList a keyring\fR
.P
\fBkeyctl list\fR <keyring>
.br
\fBkeyctl rlist\fR <keyring>
.P
These commands list the contents of a key as a keyring. "list" pretty prints
the contents and "rlist" just produces a space-separated list of key IDs.
.P
No attempt is made to check that the specified keyring is a keyring.
.P
.RS
testbox>keyctl list @us
.br
2 keys in keyring:
.br
       22: vrwsl----------  4043    -1 keyring: _uid.4043
.br
       23: vrwsl----------  4043  4043 user: debug:hello
.br
testbox>keyctl rlist @us
.br
22 23
.RE
.P
(*) \fBDescribe a key\fR
.P
\fBkeyctl describe\fR <keyring>
.br
\fBkeyctl rdescribe\fR <keyring> [sep]
.P
These commands fetch a description of a keyring. "describe" pretty prints the
description in the same fashion as the "list" command; "rdescribe" prints the
raw data returned from the kernel.
.P
.RS
testbox>keyctl describe @us
       -5: vrwsl----------  4043    -1 keyring: _uid_ses.4043
testbox>keyctl rdescribe @us
keyring;4043;-1;3f1f0000;_uid_ses.4043
.RE
.P
The raw string is "<type>;<uid>;<gid>;<perms>;<description>", where \fIuid\fR
and \fIgid\fR are the decimal user and group IDs, \fIperms\fR is the
permissions mask in hex, \fItype\fR and \fIdescription\fR are the type name and
description strings (neither of which will contain semicolons).
.P
(*) \fBChange the access controls on a key\fR
.P
\fBkeyctl chown\fR <key> <uid>
.br
\fBkeyctl chgrp\fR <key> <gid>
.P
These two commands change the UID and GID associated with evaluating a key's
permissions mask. The UID also governs which quota a key is taken out of.
.P
The chown command is not currently supported; attempting it will earn the error
"Operation not supported" at best.
.P
For non-superuser users, the GID may only be set to the process's GID or a GID
in the process's groups list. The superuser may set any GID it likes.
.P
.RS
testbox>sudo keyctl chown 27 0
.br
keyctl_chown: Operation not supported
.br
testbox>sudo keyctl chgrp 27 0
.RE
.P
(*) \fBSet the permissions mask on a key\fR
.P
\fBkeyctl setperm\fR <key> <mask>
.P
This command changes the permission control mask on a key. The mask may be
specified as a hex number if it begins "0x", an octal number if it begins "0"
or a decimal number otherwise.
.P
The hex numbers are a combination of:
.P
.RS
Possessor UID       GID       Other     Permission Granted
.br
========  ========  ========  ========  ==================
.br
01000000  00010000  00000100  00000001  View
.br
02000000  00020000  00000200  00000002  Read
.br
04000000  00040000  00000400  00000004  Write
.br
08000000  00080000  00000800  00000008  Search
.br
10000000  00100000  00001000  00000010  Link
.br
20000000  00200000  00002000  00000020  Set Attribute
.br
3f000000  003f0000  00003f00  0000003f  All
.RE
.P
\fIView\fR permits the type, description and other parameters of a key to be
viewed.
.P
\fIRead\fR permits the payload (or keyring list) to be read if supported by the
type.
.P
\fIWrite\fR permits the payload (or keyring list) to be modified or updated.
.P
\fISearch\fR on a key permits it to be found when a keyring to which it is
linked is searched.
.P
\fILink\fR permits a key to be linked to a keyring.
.P
\fISet Attribute\fR permits a key to have its owner, group membership,
permissions mask and timeout changed.
.P
.RS
testbox>keyctl setperm 27 0x1f1f1f00
.RE
.P
(*) \fBStart a new session with fresh keyrings\fR
.P
\fBkeyctl session\fR
.br
\fBkeyctl session\fR - [<prog> <arg1> <arg2> ...]
.br
\fBkeyctl session\fR <name> [<prog> <arg1> <arg2> ...]
.P
These commands join or create a new keyring and then run a shell or other
program with that keyring as the session key.
.P
The variation with no arguments just creates an anonymous session keyring and
attaches that as the session keyring; it then exec's $SHELL.
.P
The variation with a dash in place of a name creates an anonymous session
keyring and attaches that as the session keyring; it then exec's the supplied
command, or $SHELL if one isn't supplied.
.P
The variation with a name supplied creates or joins the named keyring and
attaches that as the session keyring; it then exec's the supplied command, or
$SHELL if one isn't supplied.
.P
.RS
testbox>keyctl rdescribe @s
.br
keyring;4043;-1;3f1f0000;_uid_ses.4043
.P
testbox>keyctl session
.br
Joined session keyring: 28
.br
testbox>keyctl rdescribe @s
.br
keyring;4043;4043;3f1f0000;_ses.24082
.P
testbox>keyctl session -
.br
Joined session keyring: 29
.br
testbox>keyctl rdescribe @s
.br
keyring;4043;4043;3f1f0000;_ses.24139
.P
testbox>keyctl session - keyctl rdescribe @s
.br
Joined session keyring: 30
.br
keyring;4043;4043;3f1f0000;_ses.24185
.P
testbox>keyctl session fish 
.br
Joined session keyring: 34
.br
testbox>keyctl rdescribe @s
.br
keyring;4043;4043;3f1f0000;fish
.P
testbox>keyctl session fish keyctl rdesc @s
.br
Joined session keyring: 35
.br
keyring;4043;4043;3f1f0000;fish
.RE
.P
(*) \fBInstantiate a key\fR
.P
\fBkeyctl instantiate\fR <key> <data> <keyring>
.br
\fBkeyctl pinstantiate\fR <key> <keyring>
.br
\fBkeyctl negate\fR <key> <timeout> <keyring>
.P
These commands are used to attach data to a partially set up key (as created by
the kernel and passed to /sbin/request-key). "instantiate" marks a key as being
valid and attaches the data as the payload. "negate" marks a key as invalid and
sets a timeout on it so that it'll go away after a while. This prevents a lot
of quickly sequential requests from slowing the system down overmuch when they
all fail, as all subsequent requests will then fail with error "Requested key
not found" until the negative key has expired.
.P
The newly instantiated key will be attached to the specified keyring.
.P
These commands may only be run from the program run by request-key - a special
authorisation key is set up by the kernel and attached to the request-key's
session keyring. This special key is revoked once the key to which it refers
has been instantiated one way or another.
.P
.RS
testbox>keyctl instantiate $1 "Debug $3" $4
.br
testbox>keyctl negate $1 30 $4
.RE
.P
The \fBpinstantiate\fR variant of the command reads the data from stdin rather
than taking it from the command line:
.P
.RS
testbox>echo -n "Debug $3" | keyctl pinstantiate $1 $4
.RE
.P
(*) \fBSet the expiry time on a key\fR
.P
\fBkeyctl timeout\fR <key> <timeout>
.P
This command is used to set the timeout on a key, or clear an existing timeout
if the value specified is zero. The timeout is given as a number of seconds
into the future.
.P
.RS
testbox>keyctl timeout $1 45
.RE
.P
(*) \fBRetrieve a key's security context\fR
.P
\fBkeyctl security\fR <key>
.P
This command is used to retrieve a key's LSM security context.  The label is
printed on stdout.
.P
.RS
testbox>keyctl security @s
.br
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
.RE
.P
(*) \fBGive the parent process a new session keyring\fR
.P
\fBkeyctl new_session\fR
.P
This command is used to give the invoking process (typically a shell) a new
session keyring, discarding its old session keyring.
.P
.RS
testbox> keyctl session foo
.br
Joined session keyring: 723488146
.br
testbox> keyctl show
.br
Session Keyring
.br
       -3 --alswrv      0     0  keyring: foo
.br
testbox> keyctl new_session
.br
490511412
.br
testbox> keyctl show
.br
Session Keyring
.br
       -3 --alswrv      0     0  keyring: _ses
.RE
.P
Note that this affects the \fIparent\fP of the process that invokes the system
call, and so may only affect processes with matching credentials.
Furthermore, the change does not take effect till the parent process next
transitions from kernel space to user space - typically when the \fBwait\fP()
system call returns.
.SH ERRORS
.P
There are a number of common errors returned by this program:
.P
"Not a directory" - a key wasn't a keyring.
.P
"Requested key not found" - the looked for key isn't available.
.P
"Key has been revoked" - a revoked key was accessed.
.P
"Key has expired" - an expired key was accessed.
.P
"Permission denied" - permission was denied by a UID/GID/mask combination.

.SH SEE ALSO
\fBkeyctl\fR(1), \fBrequest-key.conf\fR(5)