From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Maximiliano Sandoval <m.sandoval@proxmox.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>,
Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH backup v3 1/2] http_client: store tickets in the user's config directory
Date: Fri, 18 Apr 2025 15:14:45 +0200 [thread overview]
Message-ID: <567b74be-6551-497d-82b7-03a2a0690a87@proxmox.com> (raw)
In-Reply-To: <s8ott6liq4q.fsf@proxmox.com>
Am 18.04.25 um 14:47 schrieb Maximiliano Sandoval:
> Regarding kernel keyring or systemd creds, at least the later requires
> root access as of debian 12. An issue common to these three mechanisms
> is that they all make assumptions about permissions, the backup client
> could be run as an arbitrary user which might not have permissions to
> any of /run, the keyring, nor the system credentials.
The kernel keyring does not read root, it works as every user and has
a per user (uid) keyring as one of it default keyrings, which makes it
quite neat and normally exactly the right choice for such stuff.
You can use the keyctl as CLI tool to experiment with the keyring without
having to write a program using the syscalls directly.
The following example works just fine a standard user, as it should work
for every UID on the system. It adds a user key named "test" in the "@u"
uid keyring:
keyctl add user test "super secure ticket" @u
It returns the key serial number (ID), but you can also list the keys
from a keyring:
keyctl list @u
Or search by name:
keyctl search @u user test
And then use the serial number to read the content, e.g.:
keyctl print 304368094
The only "downside" is that it won't survive a reboot, so if a user
frequently reboots but would like to stay logged in then this won't
work, but tbh. I'd just tell them: though luck, use an API token and
handle passing it yourself in that case that is IMO rather.
I'd not be surprised if Wolfgang either has rust code for accessing
the keyring nicely or maybe knows a sane and current crate for that.
In any case, this seems like a much nicer solution all around to me,
but I naturally could have overlooked some drawback.
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-04-18 13:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-16 12:56 Maximiliano Sandoval
2025-04-16 12:56 ` [pbs-devel] [PATCH backup v3 2/2] http_client: add warning when we fail to place a config file Maximiliano Sandoval
2025-04-18 12:46 ` [pbs-devel] [PATCH backup v3 1/2] http_client: store tickets in the user's config directory Thomas Lamprecht
2025-04-18 12:47 ` Maximiliano Sandoval
2025-04-18 13:14 ` Thomas Lamprecht [this message]
2025-04-18 13:20 ` Maximiliano Sandoval
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=567b74be-6551-497d-82b7-03a2a0690a87@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=m.sandoval@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal