Comment # 36 on bug 1045886 from 
(In reply to Franck Bui from comment #35)
> 
> And in this case session key are visible by all process running with the
> same UID, which is not too good.
> 

Still it is better than what we have now.

> That's probably the reason why the doc says:
> 
>   Rather  than  relying  on the user session keyring, it is strongly
>   recommended ���especially if the process is running  as  root��� that  a 
>   session-keyring(7)  be  set  explicitly,  for  example  by pam_keyinit(8).
> 

You miss the point. It makes pam_keyinit mandatory without as much as giving
any heads up to users (just try to search for pam_keyinit in systemd NEWS).
Before this change pam_keyinit was recommended, but the whole system still
worked reasonably well without it. So the actual question is whether we want to
mandate pam_keyinit and risk security implications if it is missing for some
reasons.

You are receiving this mail because: