(In reply to Andrei Borzenkov from comment #6) > 2. Now lets look at keyrings immediately after logon > > bor@10:~> : Before ecryptfs-setup > bor@10:~> cat /proc/keys > 023c3b10 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 > 05088f05 I--Q--- 88 perm 3f030000 0 0 keyring _ses: 1 > 2344184f I--Q--- 41 perm 3f030000 1000 100 keyring _ses: 1 > bor@10:~> keyctl show -x @s > Keyring > 0x05088f05 --alswrv 0 0 keyring: _ses > 0x023c3b10 ----s-rv 0 0 \_ user: invocation_id > > Note - our session keyring is owned by user 0!!! So it is the one inherited > from systemd service. (Heck, is there any way to list session keyrings for > each process?) I don't see why the session keyring is owned by root here. The ownership is supposed to be changed here: https://github.com/systemd/systemd/blob/master/src/core/execute.c#L2127 It looks like for some reasons KEYCTL_CHOWN doesn't work...