[Bug 1045886] ecryptfs problems with recent Tumbleweed
http://bugzilla.novell.com/show_bug.cgi?id=1045886
http://bugzilla.novell.com/show_bug.cgi?id=1045886#c35
--- Comment #35 from Franck Bui
I hesitate to say "better".
Well according to the documentation, the user session keyring is used as fallback when no session keyring has been created for a given process. And this happens when the keyring stuff has not been integrated. And in this case session key are visible by all process running with the same UID, which is not too good. That's probably the reason why the doc says: Rather than relying on the user session keyring, it is strongly recommended —especially if the process is running as root— that a session-keyring(7) be set explicitly, for example by pam_keyinit(8).
One can argue that it worked so far without any explicit integration and justification for such serious change in systemd is rather weak (are you aware of any service that actually makes use of invocation ID?). Alternative is to explicitly pass invocation IDs on those services that really need it.
The main justification, from my POV, is rather that all system services get a dedicated session keyring which is disconnected from the root user keyring. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com