core: change KeyringMode= to "shared" by default for non-service units in the system manager (#8172)

Before this change all unit types would default to "private" in the
system service manager and "inherit" to in the user service manager.

With this change this is slightly altered: non-service units of the
system service manager are now run with KeyringMode=shared. This appears
to be the more appropriate choice as isolation is not as desirable for
mount tools, which regularly consume key material. After all mounts are
a shared resource themselves as they appear system-wide hence it makes a
lot of sense to share their key material too.

Fixes: #8159

1 files changed, 2 insertions, 2 deletions

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f01599f656..d4dc2843ec 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -631,8 +631,8 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         processes. In this modes multiple units running processes under the same user ID may share key material. Unless
         <option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected
         key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to
-        <option>private</option> for the system service manager and to <option>inherit</option> for the user service
-        manager.</para></listitem>
+        <option>private</option> for services of the system service manager and to <option>inherit</option> for
+        non-service units and for services of the user service manager.</para></listitem>
       </varlistentry>
 
       <varlistentry>