Provided by: keyutils_1.5.2-2_amd64 bug

NAME

       keyctl - Key management facility control

SYNOPSIS

       keyctl show
       keyctl add <type> <desc> <data> <keyring>
       keyctl padd <type> <desc> <keyring>
       keyctl request <type> <desc> [<dest_keyring>]
       keyctl request2 <type> <desc> <info> [<dest_keyring>]
       keyctl prequest2 <type> <desc> [<dest_keyring>]
       keyctl update <key> <data>
       keyctl pupdate <key>
       keyctl newring <name> <keyring>
       keyctl revoke <key>
       keyctl clear <keyring>
       keyctl link <key> <keyring>
       keyctl unlink <key> <keyring>
       keyctl search <keyring> <type> <desc> [<dest_keyring>]
       keyctl read <key>
       keyctl pipe <key>
       keyctl print <key>
       keyctl list <keyring>
       keyctl rlist <keyring>
       keyctl describe <keyring>
       keyctl rdescribe <keyring> [sep]
       keyctl chown <key> <uid>
       keyctl chgrp <key> <gid>
       keyctl setperm <key> <mask>
       keyctl session
       keyctl session - [<prog> <arg1> <arg2> ...]
       keyctl session <name> [<prog> <arg1> <arg2> ...]
       keyctl instantiate <key> <data> <keyring>
       keyctl pinstantiate <key> <keyring>
       keyctl negate <key> <timeout> <keyring>
       keyctl reject <key> <timeout> <error> <keyring>
       keyctl timeout <key> <timeout>
       keyctl security <key>
       keyctl reap [-v]
       keyctl purge <type>
       keyctl purge [-i] [-p] <type> <desc>
       keyctl purge -s <type> <desc>

DESCRIPTION

       This  program  is  used  to  control  the  key management facility in various ways using a
       variety of subcommands.

KEY IDENTIFIERS

       The key identifiers passed to or returned from keyctl are, in general, positive  integers.
       There  are,  however,  some  special  values  with  special meanings that can be passed as
       arguments:

       (*) No key: 0

       (*) Thread keyring: @t or -1

       Each thread may have its own keyring. This is  searched  first,  before  all  others.  The
       thread keyring is replaced by (v)fork, exec and clone.

       (*) Process keyring: @p or -2

       Each  process  (thread group) may have its own keyring. This is shared between all members
       of a group and will be searched after the thread keyring. The process keyring is  replaced
       by (v)fork and exec.

       (*) Session keyring: @s or -3

       Each  process  subscribes  to a session keyring that is inherited across (v)fork, exec and
       clone. This is searched after the process keyring. Session keyrings can be  named  and  an
       extant keyring can be joined in place of a process's current session keyring.

       (*) User specific keyring: @u or -4

       This  keyring  is  shared  between  all the processes owned by a particular user. It isn't
       searched directly, but is normally linked to from the session keyring.

       (*) User default session keyring: @us or -5

       This is the default session keyring for a particular user. Login processes that change  to
       a particular user will bind to this session until another session is set.

       (*) Group specific keyring: @g or -6

       This  is  a place holder for a group specific keyring, but is not actually implemented yet
       in the kernel.

       (*) Assumed request_key authorisation key: @a or -7

       This selects the authorisation key provided to the request_key() helper to  permit  it  to
       access the callers keyrings and instantiate the target key.

COMMAND SYNTAX

       Any  non-ambiguous  shortening  of  a command name may be used in lieu of the full command
       name. This facility should not be used in scripting as new commands may be added in future
       that then cause ambiguity.

       (*) Show process keyrings

       keyctl show

       This  command recursively shows what keyrings a process is subscribed to and what keys and
       keyrings they contain.

       (*) Add a key to a keyring

       keyctl add <type> <desc> <data> <keyring>
       keyctl padd <type> <desc> <keyring>

       This command creates a key of the specified type and description; instantiates it with the
       given  data  and  attaches it to the specified keyring. It then prints the new key's ID on
       stdout:

              testbox>keyctl add user mykey stuff @u
              26

       The padd variant of the command reads the data from stdin rather than taking it  from  the
       command line:

              testbox>echo -n stuff | keyctl padd user mykey @u
              26

       (*) Request a key

       keyctl request <type> <desc> [<dest_keyring>]
       keyctl request2 <type> <desc> <info> [<dest_keyring>]
       keyctl prequest2 <type> <desc> [<dest_keyring>]

       These  three  commands  request the lookup of a key of the given type and description. The
       process's keyrings will be searched, and if a match is found the matching key's ID will be
       printed  to  stdout;  and if a destination keyring is given, the key will be added to that
       keyring also.

       If there is no key, the first command will simply return the error ENOKEY  and  fail.  The
       second  and  third  commands  will create a partial key with the type and description, and
       call out to /sbin/request-key with that key and the extra information supplied. This  will
       then attempt to instantiate the key in some manner, such that a valid key is obtained.

       The  third  command  is  like the second, except that the callout information is read from
       stdin rather than being passed on the command line.

       If a valid key is obtained, the ID will be printed and the key attached as if the original
       search had succeeded.

       If  there  wasn't  a  valid key obtained, a temporary negative key will be attached to the
       destination keyring if given and the error "Requested key not available" will be given.

              testbox>keyctl request2 user debug:hello wibble
              23
              testbox>echo -n wibble | keyctl prequest2 user debug:hello
              23
              testbox>keyctl request user debug:hello
              23

       (*) Update a key

       keyctl update <key> <data>
       keyctl pupdate <key>

       This command replaces the data attached to a key with a new set of data. If  the  type  of
       the key doesn't support update then error "Operation not supported" will be returned.

              testbox>keyctl update 23 zebra

       The  pupdate  variant  of the command reads the data from stdin rather than taking it from
       the command line:

              testbox>echo -n zebra | keyctl pupdate 23

       (*) Create a keyring

       keyctl newring <name> <keyring>

       This command creates a new keyring of the specified name and attaches it to the  specified
       keyring. The ID of the new keyring will be printed to stdout if successful.

              testbox>keyctl newring squelch @us
              27

       (*) Revoke a key

       keyctl revoke <key>

       This  command marks a key as being revoked. Any further operations on that key (apart from
       unlinking it) will return error "Key has been revoked".

              testbox>keyctl revoke 26
              testbox>keyctl describe 26
              keyctl_describe: Key has been revoked

       (*) Clear a keyring

       keyctl clear <keyring>

       This command unlinks all the  keys  attached  to  the  specified  keyring.  Error  "Not  a
       directory" will be returned if the key specified is not a keyring.

              testbox>keyctl clear 27

       (*) Link a key to a keyring

       keyctl link <key> <keyring>

       This command makes a link from the key to the keyring if there's enough capacity to do so.
       Error "Not a directory" will be returned if  the  destination  is  not  a  keyring.  Error
       "Permission  denied"  will  be  returned  if  the  key doesn't have link permission or the
       keyring doesn't have write permission. Error "File table overflow" will be returned if the
       keyring is full. Error "Resource deadlock avoided" will be returned if an attempt was made
       to introduce a recursive link.

              testbox>keyctl link 23 27
              testbox>keyctl link 27 27
              keyctl_link: Resource deadlock avoided

       (*) Unlink a key from a keyring or the session keyring tree

       keyctl unlink <key> [<keyring>]

       If the keyring is specified, this command removes a link to  the  key  from  the  keyring.
       Error  "Not  a  directory"  will  be  returned  if the destination is not a keyring. Error
       "Permission denied" will be returned if the keyring doesn't have write  permission.  Error
       "No such file or directory" will be returned if the key is not linked to by the keyring.

       If the keyring is not specified, this command performs a depth-first search of the session
       keyring tree and removes all the links to the nominated key that it finds (and that it  is
       permitted to remove).  It prints the number of successful unlinks before exiting.

              testbox>keyctl unlink 23 27

       (*) Search a keyring

       keyctl search <keyring> <type> <desc> [<dest_keyring>]

       This  command  non-recursively  searches  a  keyring  for  a  key of a particular type and
       description. If found, the ID of the key will be printed on stdout and  the  key  will  be
       attached  to  the destination keyring if present. Error "Requested key not available" will
       be returned if the key is not found.

              testbox>keyctl search @us user debug:hello
              23
              testbox>keyctl search @us user debug:bye
              keyctl_search: Requested key not available

       (*) Read a key

       keyctl read <key>
       keyctl pipe <key>
       keyctl print <key>

       These commands read the payload of a key. "read" prints it on stdout as a hex dump, "pipe"
       dumps  the  raw  data  to  stdout and "print" dumps it to stdout directly if it's entirely
       printable or as a hexdump preceded by ":hex:" if not.

       If the key type does not support  reading  of  the  payload,  then  error  "Operation  not
       supported" will be returned.

              testbox>keyctl read 26
              1 bytes of data in key:
              62
              testbox>keyctl print 26
              b
              testbox>keyctl pipe 26
              btestbox>

       (*) List a keyring

       keyctl list <keyring>
       keyctl rlist <keyring>

       These  commands list the contents of a key as a keyring. "list" pretty prints the contents
       and "rlist" just produces a space-separated list of key IDs.

       No attempt is made to check that the specified keyring is a keyring.

              testbox>keyctl list @us
              2 keys in keyring:
                     22: vrwsl----------  4043    -1 keyring: _uid.4043
                     23: vrwsl----------  4043  4043 user: debug:hello
              testbox>keyctl rlist @us
              22 23

       (*) Describe a key

       keyctl describe <keyring>
       keyctl rdescribe <keyring> [sep]

       These commands fetch a description of a keyring. "describe" pretty prints the  description
       in  the  same fashion as the "list" command; "rdescribe" prints the raw data returned from
       the kernel.

              testbox>keyctl describe @us
                     -5:  vrwsl----------   4043     -1  keyring:  _uid_ses.4043   testbox>keyctl
              rdescribe @us keyring;4043;-1;3f1f0000;_uid_ses.4043

       The  raw  string  is "<type>;<uid>;<gid>;<perms>;<description>", where uid and gid are the
       decimal user and group IDs, perms is the permissions mask in hex, type and description are
       the type name and description strings (neither of which will contain semicolons).

       (*) Change the access controls on a key

       keyctl chown <key> <uid>
       keyctl chgrp <key> <gid>

       These  two  commands change the UID and GID associated with evaluating a key's permissions
       mask. The UID also governs which quota a key is taken out of.

       The chown command is not currently supported; attempting it will earn the error "Operation
       not supported" at best.

       For  non-superuser  users,  the  GID  may only be set to the process's GID or a GID in the
       process's groups list. The superuser may set any GID it likes.

              testbox>sudo keyctl chown 27 0
              keyctl_chown: Operation not supported
              testbox>sudo keyctl chgrp 27 0

       (*) Set the permissions mask on a key

       keyctl setperm <key> <mask>

       This command changes the permission control mask on a key. The mask may be specified as  a
       hex  number  if  it  begins  "0x",  an  octal  number if it begins "0" or a decimal number
       otherwise.

       The hex numbers are a combination of:

              Possessor UID       GID       Other     Permission Granted
              ========  ========  ========  ========  ==================
              01000000  00010000  00000100  00000001  View
              02000000  00020000  00000200  00000002  Read
              04000000  00040000  00000400  00000004  Write
              08000000  00080000  00000800  00000008  Search
              10000000  00100000  00001000  00000010  Link
              20000000  00200000  00002000  00000020  Set Attribute
              3f000000  003f0000  00003f00  0000003f  All

       View permits the type, description and other parameters of a key to be viewed.

       Read permits the payload (or keyring list) to be read if supported by the type.

       Write permits the payload (or keyring list) to be modified or updated.

       Search on a key permits it to be found when a keyring to which it is linked is searched.

       Link permits a key to be linked to a keyring.

       Set Attribute permits a key to have its owner,  group  membership,  permissions  mask  and
       timeout changed.

              testbox>keyctl setperm 27 0x1f1f1f00

       (*) Start a new session with fresh keyrings

       keyctl session
       keyctl session - [<prog> <arg1> <arg2> ...]
       keyctl session <name> [<prog> <arg1> <arg2> ...]

       These  commands  join  or  create a new keyring and then run a shell or other program with
       that keyring as the session key.

       The variation with no arguments just creates an anonymous  session  keyring  and  attaches
       that as the session keyring; it then exec's $SHELL.

       The  variation  with  a  dash  in place of a name creates an anonymous session keyring and
       attaches that as the session keyring; it then exec's the supplied command,  or  $SHELL  if
       one isn't supplied.

       The variation with a name supplied creates or joins the named keyring and attaches that as
       the session keyring; it then exec's the supplied command, or $SHELL if one isn't supplied.

              testbox>keyctl rdescribe @s
              keyring;4043;-1;3f1f0000;_uid_ses.4043

              testbox>keyctl session
              Joined session keyring: 28
              testbox>keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;_ses.24082

              testbox>keyctl session -
              Joined session keyring: 29
              testbox>keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;_ses.24139

              testbox>keyctl session - keyctl rdescribe @s
              Joined session keyring: 30
              keyring;4043;4043;3f1f0000;_ses.24185

              testbox>keyctl session fish
              Joined session keyring: 34
              testbox>keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;fish

              testbox>keyctl session fish keyctl rdesc @s
              Joined session keyring: 35
              keyring;4043;4043;3f1f0000;fish

       (*) Instantiate a key

       keyctl instantiate <key> <data> <keyring>
       keyctl pinstantiate <key> <keyring>
       keyctl negate <key> <timeout> <keyring>
       keyctl reject <key> <timeout> <error> <keyring>

       These commands are used to attach data to a partially set up key (as created by the kernel
       and  passed  to /sbin/request-key).  "instantiate" marks a key as being valid and attaches
       the data as the payload.  "negate" and "reject" mark a key as invalid and sets  a  timeout
       on  it  so  that  it'll  go away after a while.  This prevents a lot of quickly sequential
       requests from slowing the system down overmuch when  they  all  fail,  as  all  subsequent
       requests will then fail with error "Requested key not found" (if negated) or the specified
       error (if rejected) until the negative key has expired.

       Reject's error argument can either be a UNIX error number or one of 'rejected',  'expired'
       or 'revoked'.

       The newly instantiated key will be attached to the specified keyring.

       These  commands  may  only  be  run  from  the  program  run  by  request-key  - a special
       authorisation key is set up by the  kernel  and  attached  to  the  request-key's  session
       keyring. This special key is revoked once the key to which it refers has been instantiated
       one way or another.

              testbox>keyctl instantiate $1 "Debug $3" $4
              testbox>keyctl negate $1 30 $4
              testbox>keyctl reject $1 30 64 $4

       The pinstantiate variant of the command reads the data from stdin rather  than  taking  it
       from the command line:

              testbox>echo -n "Debug $3" | keyctl pinstantiate $1 $4

       (*) Set the expiry time on a key

       keyctl timeout <key> <timeout>

       This  command  is  used  to  set the timeout on a key, or clear an existing timeout if the
       value specified is zero. The timeout is given as a number of seconds into the future.

              testbox>keyctl timeout $1 45

       (*) Retrieve a key's security context

       keyctl security <key>

       This command is used to retrieve a key's LSM security context.  The label  is  printed  on
       stdout.

              testbox>keyctl security @s
              unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

       (*) Give the parent process a new session keyring

       keyctl new_session

       This  command  is  used  to  give  the  invoking process (typically a shell) a new session
       keyring, discarding its old session keyring.

              testbox> keyctl session foo
              Joined session keyring: 723488146
              testbox> keyctl show
              Session Keyring
                     -3 --alswrv      0     0  keyring: foo
              testbox> keyctl new_session
              490511412
              testbox> keyctl show
              Session Keyring
                     -3 --alswrv      0     0  keyring: _ses

       Note that this affects the parent of the process that invokes the system call, and so  may
       only  affect  processes  with matching credentials.  Furthermore, the change does not take
       effect till the parent process  next  transitions  from  kernel  space  to  user  space  -
       typically when the wait() system call returns.

       (*) Remove dead keys from the session keyring tree

       keyctl reap

       This  command  performs  a  depth-first  search  of  the caller's session keyring tree and
       attempts to unlink any key that it finds that is inaccessible due to  expiry,  revocation,
       rejection  or  negation.   It  does  not  attempt to remove live keys that are unavailable
       simply due to a lack of granted permission.

       A key that is designated reapable will only be removed from a keyring if  the  caller  has
       Write  permission  on  that keyring, and only keyrings that grant Search permission to the
       caller will be searched.

       The command prints the number of keys reaped before it exits.  If the -v  flag  is  passed
       then  the  reaped  keys  are  listed as they're being reaped, together with the success or
       failure of the unlink.

       (*) Remove matching keys from the session keyring tree

       keyctl purge <type>
       keyctl purge [-i] [-p] <type> <desc>
       keyctl purge -s <type> <desc>

       These commands perform a depth-first search to find matching keys in the caller's  session
       keyring  tree  and  attempts  to unlink them.  The number of keys successfully unlinked is
       printed at the end.

       The keyrings must grant Read and View permission to the caller to  be  searched,  and  the
       keys  to  be  removed  must  also  grant  View  permission.  Keys can only be removed from
       keyrings that grant Write permission.

       The first variant purges all keys of the specified type.

       The second variant purges all keys of  the  specified  type  that  also  match  the  given
       description literally.  The -i flag allows a case-independent match and the -p flag allows
       a prefix match.

       The third variant purges all keys of the specified type and matching description using the
       key  type's  comparator in the kernel to match the description.  This permits the key type
       to match a key with a variety of descriptions.

ERRORS

       There are a number of common errors returned by this program:

       "Not a directory" - a key wasn't a keyring.

       "Requested key not found" - the looked for key isn't available.

       "Key has been revoked" - a revoked key was accessed.

       "Key has expired" - an expired key was accessed.

       "Permission denied" - permission was denied by a UID/GID/mask combination.

SEE ALSO

       keyctl(1), request-key.conf(5)