[Secure-testing-team] Bug#748354: keyutils: key timeout have reset after udev starts

Fri May 16 14:10:37 UTC 2014

Package: keyutils
Version: 1.5.6-1
Severity: normal
Tags: security

Hi.

Key timeout set in initramfs had reset after udev init script run.

How to reproduce:
1. Add key and set timeout on it in initramfs. E.g. use an encrypted root and
open it using decrypt_keyctl script from cryptsetup package (to cache
password). The crypttab entry may look like:

    jessie_root   /dev/reiji/enc_jessie_root   reiji   luks,keyscript=decrypt_keyctl

The decrypt_keyctl script sets timeout of 60 seconds on all cached passwords.
2. Add init script (below), which runs before udev and waits for 60 seconds to
ensure, that timeout still works. It may have LSB header like:

    ### BEGIN INIT INFO
    # Provides:          keyctl-test
    # Required-Start:    mountkernfs
    # Required-Stop:     
    # X-Interactive:     false
    # X-Start-Before:    udev
    # X-Stop-After:      udev
    # Default-Start:     S
    # Default-Stop:      0 6
    # Short-Description: Wait for keyctl timeout to expire
    # Description:
    ### END INIT INFO

and restart the system. You'll see line

    key inaccessible (key has expired)

when keyctl-test script runs `keyctl show @u` after waiting for 60 seconds.
4. Now change LSB header, so keyctl-test starts right after udev. It may look
like:

    ### BEGIN INIT INFO
    # Provides:          keyctl-test
    # Required-Start:    udev
    # Required-Stop:     udev
    # X-Interactive:     false
    # X-Start-Before:    keyboard-setup mdadm-raid mountdevsubfs
    # X-Stop-After:      
    # Default-Start:     S
    # Default-Stop:      0 6
    # Short-Description: Wait for keyctl timeout to expire
    # Description:
    ### END INIT INFO

and also restart the system. Now after waiting for 60 seconds `keyctl show @u`
will still list the key added during root fs unlocking from initramfs.

The keyctl-test init script may look like:

    do_start()
    {
	    echo "Waiting for keyctl timeout to expire.." >&2
	    sleep 60
	    echo "..done" >&2
	    keyctl show @u
    }

    case "$1" in
    start)
	    do_start
	    ;;
    stop|restart|reload|force-reload|force-start)
	    echo "....."
	    ;;
    *)
	    echo "Usage: {start|stop|restart|reload|force-reload|force-start}"
	    exit 1
	    ;;
    esac

To workaround this i may use simple script for clearing keyring, which runs,
when all volumes requiring password have opened. I may run it using 'check='
option in crypttab. E.g. the last crypttab line, which uses cached password,
may look like:

w7   /dev/sdb2   reiji   luks,keyscript=decrypt_keyctl,check=keyctl_clear

and keyctl_clear script should be placed in /lib/cryptsetup/checks/ and may
look like:

    #!/bin/sh

    keyctl clear @u || exit 0

--
    Dmitriy Matrosov

-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages keyutils depends on:
ii  libc6         2.18-5
ii  libkeyutils1  1.5.6-1

keyutils recommends no packages.

keyutils suggests no packages.

-- no debconf information