> 2. let AFS use the per-user keyring instead of the per-session one > (suggested in the systemd bug discussion) > > Does the second one sound reasonable?
Switching to the user keyring is unreasonable. The impact of such a change is that all user sessions on a system share the same tokens and an effective uid change permits access to those same tokens. Process Authentication Groups (PAGs) exist explicitly to establish a security barrier to prevent such credential leakage. Just my two cents ... Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
