Gwendal Grignou <gwen...@chromium.org> wrote: > Currently, if a session keyring exists, we are not searching in the > user session or user keyrings.
That is correct. New session keyrings are given a link to the user session if created by pam_keyinit. If you don't want to search the user keyring, you can just unlink it from your session keyring. The user-session keyring is a fallback keyring in case there's no session keyring. It seemed to make things easier at the time, but it shouldn't really exist and I would deprecate it and remove it if I could - especially now that persistent keyrings exist. The uid 0 user-session keyring is a potential security hole because it allows implicit sharing of authentication data between daemon processes. David
