Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)
> I can see the problem, but I'm not sure how to improve on this. We > don't want to support running shibd as root, so we added the warning to I'm totally with you here! > prod admins to migrate under jessie. It seems you didn't use a big enough cattle prod here ;-) Without the explicit systemd service, it still runs seamlessly as root... > There was a NEWS entry as well. I had something in mind like the warning mails I get for behaviour changes from unattended upgrades... Since I don't do dist-upgrades, but clean re-installs to get rid of no-longer-needed stuff on my servers, it seems I have to improve my reading and include all the NEWS* files for all the packages... > Systemd can't really provide a fallback to root anyway. Now we're > nearing the buster freeze already; I think the best thing to do would be > decoding the error codes so that the daemon prints human readable error > messages (for example "permission denied" in this case). Would you find > that a valid fix? However, this wouldn't help current stretch users > (who must have already solved this) nor future upgrades to buster. > Still, it would be a slight improvement upstream, I guess. Yes, this might help - and now that I'm better aware of the NEWS* files, perhaps an entry in a shibboleth-sp2-utils (where _this_ change really happend) NEWS file, like, "now we have a systemd service, now you not only SHOULD change to _shibd, now you MUST" or anything more prominent. You're right, you did document the change, and it's the ignorant admins out there that have a problem, so everything should be fine, but now that you know of these admins, perhaps you stumble upon a bigger prod - if not, ok, it's us admins that have to learn the hard way ;-) Thanks for your time, for the work that you put in these packages and for dealing with people like me :) Bye, Andy -- Andreas Ley, SCC, Karlsruhe Institute of Technology (KIT), D-76128 Karlsruhe E-Mail: andreas@kit.edu, Telephone: +49 721 608 46341, Fax: +49 721 32550 "It's 106 ms to Chicago, we've got a full disk of GIFs, half a meg of hypertext, it's dark, and we're wearing sunglasses." "Click it." -- Christopher Davis
Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)
Andreas Ley writes: > Did not realize there now is a _shibd user that needs to access the > keys since on jessie, shibd automatically runs as root in such a > situation. > [...] > On stretch, there is a /lib/systemd/system/shibd.service which misses > both the automatism and the warning. Hi Andreas, I can see the problem, but I'm not sure how to improve on this. We don't want to support running shibd as root, so we added the warning to prod admins to migrate under jessie. There was a NEWS entry as well. Systemd can't really provide a fallback to root anyway. Now we're nearing the buster freeze already; I think the best thing to do would be decoding the error codes so that the daemon prints human readable error messages (for example "permission denied" in this case). Would you find that a valid fix? However, this wouldn't help current stretch users (who must have already solved this) nor future upgrades to buster. Still, it would be a slight improvement upstream, I guess. -- Regards, Feri
Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)
Package: shibboleth-sp2-utils Version: 2.6.0+dfsg1-4+deb9u1 Severity: minor Dear Maintainer, * What led up to the situation? Migrated shibboleth x.509 keys (root owned, mode 400) from a jessie system to stretch. * What exactly did you do (or not do) that was effective (or ineffective)? Did not realize there now is a _shibd user that needs to access the keys since on jessie, shibd automatically runs as root in such a situation. * What was the outcome of this action? /var/log/shibboleth/shibd.log lists: 2018-11-08 08:30:59 ERROR OpenSSL : error code: 33558541 in bss_file.c, line 406 2018-11-08 08:30:59 ERROR OpenSSL : error data: fopen('.../conf/ssl/sp.key','r') 2018-11-08 08:30:59 ERROR OpenSSL : error code: 537346050 in bss_file.c, line 408 * What outcome did you expect instead? Either the same logic as on jessie or a more prominent hint for the admin to adapt to the new situation. * What caused the problem? On jessie, there is no explict systemd service file but one is generated from /etc/init.d/shibd as /run/systemd/generator.late/shibd.service so the whole init.d logic is also available to systemd. This logic has been amended by debian/patches/Improve-shibd-init-script.patch's prepare_environment() which runs shibd in test mode, looks for the error above and then automatically disables running as $DAEMON_USER The associated warning is easily overseen as the logs are noisy and everything is fine. On stretch, there is a /lib/systemd/system/shibd.service which misses both the automatism and the warning. -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/6 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages shibboleth-sp2-utils depends on: ii adduser 3.115 ii init-system-helpers 1.48 ii libc62.24-11+deb9u3 ii libfcgi0ldbl 2.4.0-8.4+b1 ii libgcc1 1:6.3.0-18+deb9u1 ii liblog4shib1v5 1.0.9-3 ii libsaml9 2.6.0-4+deb9u1 ii libshibsp-plugins2.6.0+dfsg1-4+deb9u1 ii libshibsp7 2.6.0+dfsg1-4+deb9u1 ii libstdc++6 6.3.0-18+deb9u1 ii libsystemd0 232-25+deb9u4 ii libxerces-c3.1 3.1.4+debian-2+deb9u1 ii libxmltooling7 1.6.0-4+deb9u1 ii lsb-base 9.20161125 Versions of packages shibboleth-sp2-utils recommends: ii openssl 1.1.0f-3+deb9u2 shibboleth-sp2-utils suggests no packages. -- debconf-show failed