http://bugzilla.novell.com/show_bug.cgi?id=1045886
http://bugzilla.novell.com/show_bug.cgi?id=1045886#c37
--- Comment #37 from Franck Bui
(In reply to Franck Bui from comment #35)
And in this case session key are visible by all process running with the same UID, which is not too good.
Still it is better than what we have now.
Nobody is saying the contrary and as already said it will be temporarily reverted until we will find a better solution. But something better than something broken doesn't necessarily mean that it's something good to keep...
You miss the point. It makes pam_keyinit mandatory without as much as giving any heads up to users (just try to search for pam_keyinit in systemd NEWS). Before this change pam_keyinit was recommended, but the whole system still worked reasonably well without it.
It's not working reasonably well see my previous comment. pam_keyinit is not recommended but *strongly* recommended. What do you think the emphasis implies ?
So the actual question is whether we want to mandate pam_keyinit and risk security implications if it is missing for some reasons.
That's what this bug is all about now I guess: integrate pam_keyinit in the PAM config so the kernel keyring stuff works as it should and the risk is keep as low as possible. This way we can improve the old setup and may reconsider restoring the keyring feature in systemd. -- You are receiving this mail because: You are on the CC list for the bug.