demo: using systemd-creds to store a secret as an unprivileged user

[eriksjolund]

Here is a minimal demo showing how to use systemd-creds to store a secret as an unprivileged user and
then run a container to read the secret.

Requirements: systemd 258 or later.

1. Boot up a linux system having systemd 258.
2. Create a test user

   sudo useradd test
   

3. Start a login shell

   sudo machinectl shell --uid=test
   

4. Store secret

   echo -n mysecret | systemd-creds --user encrypt --name=foo - ~/test.creds
   

5. Show file contents

   cat ~/test.creds
   

   The following output is printed

   VbntHThZTUOoMZ0uuzMqxiAAAAABAAAADAAAABAAAABCxt6aVk2+NgBbHcgAAAAABwAAAAAAAACr0mm
   rdNxTJ1SiNNbyoJnkJ4rWOSBR79pJF1oBYhniCICklLrDD9WxHGbg6GN7BTo=
   

6. mkdir -p ~/.config/containers/systemd
7. Create file ~/.config/containers/systemd/demo.container containing

   [Container]
   ContainerName=democontainer
   Image=docker.io/library/alpine:latest
   Exec=sh -c "ls -l /secretdir ; cat /secretdir/foo"
   SecurityLabelDisable=true
   Volume=%d:/secretdir
   [Service]
   LoadCredentialEncrypted=foo:/home/test/test.creds
   

8. Reload the system manager

   systemctl --user daemon-reload
   

9. Start the service

   systemctl --user start demo.service
   

10. Run command

    journalctl --user -xe -u demo.service | grep -B2 mysecret
    

    The following output is printed

    Sep 21 15:57:22 localhost.localdomain democontainer[11405]: total 4
    Sep 21 15:57:22 localhost.localdomain democontainer[11405]: -r--------    1 root     root             8 Sep 21 15:57 foo
    Sep 21 15:57:22 localhost.localdomain democontainer[11405]: mysecret
    

    result: the secret text mysecret is printed by the container

Note, to make it work I had to add

SecurityLabelDisable=true

Is SELinux supposed to be blocking this?

Side note 1:

To try it out on a Linux system with systemd 258, I booted up a Fedora CoreOS vm

(rawhide
https://builds.coreos.fedoraproject.org/browser?stream=rawhide&arch=aarch64)

with the help of the tool vfkit on a macbook.

Side note 2:

Lennart Poettering mentions in a Mastodon post that LoadCredentialEncrypted= was fixed in systemd 258 so that it works for unprivileged users.