https://bugzilla.suse.com/show_bug.cgi?id=1209741 https://bugzilla.suse.com/show_bug.cgi?id=1209741#c9 --- Comment #9 from Fabian Vogt <fvogt@suse.com> --- (In reply to Michal Koutn� from comment #8)

(In reply to Fabian Vogt from comment #4)

...

Can pam_systemd somehow forward the session keyring to the systemd user instance it starts? If not, the only option I see is to have separate session keyrings for systemd user services and other parts of the session.

I understand the intent is to use KEY_SPEC_SESSION_KEYRING (not KEY_SPEC_USER_SESSION_KEYRING nor KEY_SPEC_USER_KEYRING). As you wrote this is shared via forking ancestry. A process calling into pam_systemd and the systemd user instance are not generally comparable in this relation, so a "horizontal" passing would be needed. I can see there is only KEYCTL_SESSION_TO_PARENT, which could partly overcome this but it wouldn't work for already forked processes.

Ok, so we definitely need pam_keyinit.so in the systemd-user PAM service then? Upstream did that ages ago: https://github.com/systemd/systemd/commit/ab79099d1684457d040ee7c28b2012e8c1...

Another idea (besides Lennart's KEY_SPEC_USER_KEYRING but not very sane) would be to start desktop environment as a systemd user instance service (i.e. DE comparable in ancestry relation with systemd user instance). (While display manager would start a particular user instance target to bring all up. I never saw that except for this related Archlinux attempt [1].)

[1] https://wiki.archlinux.org/title/Systemd/User#Xorg_as_a_systemd_user_service

That's basically what happens here. In the X11 case, the X server is started before the session (rootful) or as part of the session (rootless, not in SDDM 0.19.0). In the wayland case, the display server is also part of the systemd user session. -- You are receiving this mail because: You are on the CC list for the bug.