diff options
Diffstat (limited to 'man7')
| -rw-r--r-- | man7/inode.7 | 4 | ||||
| -rw-r--r-- | man7/keyrings.7 | 40 | ||||
| -rw-r--r-- | man7/process-keyring.7 | 2 | ||||
| -rw-r--r-- | man7/user-keyring.7 | 4 |
4 files changed, 25 insertions, 25 deletions
diff --git a/man7/inode.7 b/man7/inode.7 index 3c3614ca29..3ed33d28b0 100644 --- a/man7/inode.7 +++ b/man7/inode.7 @@ -373,7 +373,7 @@ S_IWOTH 00002 others have write permission S_IXOTH 00001 others have execute permission .TE .in -.P +.PP The set-group-ID bit .RB ( S_ISGID ) has several special uses. @@ -387,7 +387,7 @@ For a file that does not have the group execution bit .RB ( S_IXGRP ) set, the set-group-ID bit indicates mandatory file/record locking. -.P +.PP The sticky bit .RB ( S_ISVTX ) on a directory means that a file diff --git a/man7/keyrings.7 b/man7/keyrings.7 index 2ff911ae6a..6c630b3eb3 100644 --- a/man7/keyrings.7 +++ b/man7/keyrings.7 @@ -18,7 +18,7 @@ The Linux key-management facility is primarily a way for various kernel components to retain or cache security data, authentication keys, encryption keys, and other data in the kernel. -.P +.PP System call interfaces are provided so that user-space programs can manage those objects and also use the facility for their own purposes; see .BR add_key (2), @@ -175,7 +175,7 @@ links to other keys (which may include other keyrings). Keys may be linked to by multiple keyrings. Keyrings may be considered as analogous to UNIX directories where each directory contains a set of hard links to files. -.P +.PP Various operations (system calls) may be applied only to keyrings: .IP Adding A key may be added to a keyring by system calls that create keys. @@ -195,7 +195,7 @@ A keyring may be considered the root of a tree or subtree in which keyrings form the branches and non-keyrings the leaves. This tree may be searched for a key matching a particular type and description. -.P +.PP See .BR keyctl_clear (3), .BR keyctl_link (3), @@ -326,16 +326,16 @@ If a process is upcalled from the kernel to instantiate a key (see .BR request_key (2)), then it also possesses the requester's keyrings as in rule (1) as if it were the requester. -.P +.PP Note that possession is not a fundamental property of a key, but must rather be calculated each time the key is needed. -.P +.PP Possession is designed to allow set-user-ID programs run from, say a user's shell to access the user's keys. Granting permissions to the key possessor while denying them to the key owner and group allows the prevention of access to keys on the basis of UID and GID matches. -.P +.PP When it creates the session keyring, .BR pam_keyinit (8) adds a link to the @@ -352,7 +352,7 @@ The ID of a group that is permitted to access the key A security label .IP * A permissions mask -.P +.PP The permissions mask contains four sets of rights. The first three sets are mutually exclusive. One and only one will be in force for a particular access check. @@ -367,16 +367,16 @@ filesystem GID or one of the caller's supplementary group IDs. .IP \fIother\fR The set specifies the rights granted if neither the key's user ID nor group ID matched. -.P +.PP The fourth set of rights is: .IP \fIpossessor\fR The set specifies the rights granted if a key is determined to be possessed by the caller. -.P +.PP The complete set of rights for a key is the union of whichever of the first three sets is applicable plus the fourth set if the key is possessed. -.P +.PP The set of rights that may be granted in each of the four masks is as follows: .TP @@ -408,14 +408,14 @@ doesn't require this permission. .I setattr The ownership details and security label of the key may be changed, the key's expiration time may be set, and the key may be revoked. -.P +.PP In addition to access rights, any active Linux Security Module (LSM) may prevent access to a key if its policy so dictates. A key may be given a security label or other attribute by the LSM; this label is retrievable via .BR keyctl_get_security (3). -.P +.PP See .BR keyctl_chown (3), .BR keyctl_describe (3), @@ -434,7 +434,7 @@ system call is the primary point of access for user-space applications to find a key. (Internally, the kernel has something similar available for use by internal components that make use of keys.) -.P +.PP The search algorithm works as follows: .IP (1) 4 The process keyrings are searched in the following order: the thread @@ -467,10 +467,10 @@ If no valid matching key is found, then the first noted error state is returned; otherwise, an .B ENOKEY error is returned. -.P +.PP It is also possible to search a specific keyring, in which case only steps (3) to (6) apply. -.P +.PP See .BR request_key (2) and @@ -485,18 +485,18 @@ will, if given a argument, create a new key and then upcall to user space to instantiate the key. This allows keys to be created on an as-needed basis. -.P +.PP Typically, this will involve the kernel creating a new process that executes the .BR request-key (8) program, which will then execute the appropriate handler based on its configuration. -.P +.PP The handler is passed a special authorization key that allows it and only it to instantiate the new key. This is also used to permit searches performed by the handler program to also search the requester's keyrings. -.P +.PP See .BR request_key (2), .BR keyctl_assume_authority (3), @@ -814,7 +814,7 @@ note that each link in a keyring consumes 4 bytes of the keyring payload. .SS Users The Linux key-management facility has a number of users and usages, but is not limited to those that already exist. -.P +.PP In-kernel users of this facility include: .TP Network filesystems - DNS @@ -837,7 +837,7 @@ The CIFS filesystem uses keys to store passwords for accessing remote shares. Module verification The kernel build process can be made to cryptographically sign modules. That signature is then checked when a module is loaded. -.P +.PP User-space users of this facility include: .TP Kerberos key storage diff --git a/man7/process-keyring.7 b/man7/process-keyring.7 index 1b50000670..0ba2349d13 100644 --- a/man7/process-keyring.7 +++ b/man7/process-keyring.7 @@ -17,7 +17,7 @@ The process keyring is a keyring used to anchor keys on behalf of a process. It is created only when a process requests it. The process keyring has the name (description) .IR _pid . -.P +.PP A special serial number value, .BR KEY_SPEC_PROCESS_KEYRING , is defined that can be used in lieu of the actual serial number of diff --git a/man7/user-keyring.7 b/man7/user-keyring.7 index 29de53b761..c1791e3daa 100644 --- a/man7/user-keyring.7 +++ b/man7/user-keyring.7 @@ -64,14 +64,14 @@ and .BR _exit (2) excepting that the keyring is destroyed when the UID record is destroyed when the last process pinning it exits. -.P +.PP If it is necessary for a key associated with a user to exist beyond the UID record being garbage collected\(emfor example, for use by a .BR cron (8) script\(emthen the .BR persistent-keyring (7) should be used instead. -.P +.PP If a user keyring does not exist when it is accessed, it will be created. .SH SEE ALSO .ad l |