--- Comment #35 from Franck Bui <fbui(a)suse.com> ---
(In reply to Andrei Borzenkov from comment #34)
I hesitate to say "better".
Well according to the documentation, the user session keyring is used as
fallback when no session keyring has been created for a given process. And this
happens when the keyring stuff has not been integrated.
And in this case session key are visible by all process running with the same
UID, which is not too good.
That's probably the reason why the doc says:
Rather than relying on the user session keyring, it is strongly
recommended —especially if the process is running as root— that a
session-keyring(7) be set explicitly, for example by pam_keyinit(8).
One can argue that it worked so far without any
explicit integration and justification for such serious change in systemd is
rather weak (are you aware of any service that actually makes use of
invocation ID?). Alternative is to explicitly pass invocation IDs on those
services that really need it.
The main justification, from my POV, is rather that all system services get a
dedicated session keyring which is disconnected from the root user keyring.
You are receiving this mail because:
You are on the CC list for the bug.