I’m working on packaging Proton Pass CLI (PR #470407) and encountering permission issues with the Linux kernel keyring.
The application uses keyring-rs with the kernel backend to store encryption keys. When attempting to store a key via add_key(), it fails with EACCES (Permission denied):
> strace -e keyctl result/bin/pass-cli login
keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_SESSION_KEYRING, 0) = 521763819
keyctl(KEYCTL_GET_PERSISTENT, -1, KEY_SPEC_SESSION_KEYRING) = 8888588
keyctl(KEYCTL_SEARCH, 521763819, "user", "keyring-rs:cli-local-key@ProtonP"..., 0) = -1 EACCES (Permission denied)
> keyctl show
Session Keyring
844533279 --alswrv 1000 65534 keyring: _uid_ses.1000
764978731 --alswrv 1000 65534 \_ keyring: _uid.1000
805469897 --alswrv 1000 100 \_ user: keyring-rs:cli-local-key@ProtonPassCLI
The root cause is that the default session keyring _uid_ses.1000 has group 65534 (nogroup), which the user doesn’t belong to and therefore cannot write to.
Temporary solution: Creating a new session keyring works:
keyctl session -
pass-cli login # Now succeeds
But this keyring is ephemeral and destroyed when the shell exits, requiring re-login each time.
Questions
- Is this an issue with my NixOS configuration?
- Is there an established pattern in nixpkgs for packaging applications that use the Linux kernel keyring?
- Should the keyring configuration be handled at the package level, or is this purely a system-level concern that users need to configure themselves?
- Are there existing packages in nixpkgs that properly handle kernel keyring access I could reference?
Any guidance would be greatly appreciated!