Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)
> I can see the problem, but I'm not sure how to improve on this. We > don't want to support running shibd as root, so we added the warning to I'm totally with you here! > prod admins to migrate under jessie. It seems you didn't use a big enough cattle prod here ;-) Without the explicit systemd service, it still runs seamlessly as root... > There was a NEWS entry as well. I had something in mind like the warning mails I get for behaviour changes from unattended upgrades... Since I don't do dist-upgrades, but clean re-installs to get rid of no-longer-needed stuff on my servers, it seems I have to improve my reading and include all the NEWS* files for all the packages... > Systemd can't really provide a fallback to root anyway. Now we're > nearing the buster freeze already; I think the best thing to do would be > decoding the error codes so that the daemon prints human readable error > messages (for example "permission denied" in this case). Would you find > that a valid fix? However, this wouldn't help current stretch users > (who must have already solved this) nor future upgrades to buster. > Still, it would be a slight improvement upstream, I guess. Yes, this might help - and now that I'm better aware of the NEWS* files, perhaps an entry in a shibboleth-sp2-utils (where _this_ change really happend) NEWS file, like, "now we have a systemd service, now you not only SHOULD change to _shibd, now you MUST" or anything more prominent. You're right, you did document the change, and it's the ignorant admins out there that have a problem, so everything should be fine, but now that you know of these admins, perhaps you stumble upon a bigger prod - if not, ok, it's us admins that have to learn the hard way ;-) Thanks for your time, for the work that you put in these packages and for dealing with people like me :) Bye, Andy -- Andreas Ley, SCC, Karlsruhe Institute of Technology (KIT), D-76128 Karlsruhe E-Mail: andreas@kit.edu, Telephone: +49 721 608 46341, Fax: +49 721 32550 "It's 106 ms to Chicago, we've got a full disk of GIFs, half a meg of hypertext, it's dark, and we're wearing sunglasses." "Click it." -- Christopher Davis
Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)
Andreas Ley writes: > Did not realize there now is a _shibd user that needs to access the > keys since on jessie, shibd automatically runs as root in such a > situation. > [...] > On stretch, there is a /lib/systemd/system/shibd.service which misses > both the automatism and the warning. Hi Andreas, I can see the problem, but I'm not sure how to improve on this. We don't want to support running shibd as root, so we added the warning to prod admins to migrate under jessie. There was a NEWS entry as well. Systemd can't really provide a fallback to root anyway. Now we're nearing the buster freeze already; I think the best thing to do would be decoding the error codes so that the daemon prints human readable error messages (for example "permission denied" in this case). Would you find that a valid fix? However, this wouldn't help current stretch users (who must have already solved this) nor future upgrades to buster. Still, it would be a slight improvement upstream, I guess. -- Regards, Feri
Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)
Package: shibboleth-sp2-utils
Version: 2.6.0+dfsg1-4+deb9u1
Severity: minor
Dear Maintainer,
* What led up to the situation?
Migrated shibboleth x.509 keys (root owned, mode 400) from a jessie system to
stretch.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Did not realize there now is a _shibd user that needs to access the keys since
on jessie, shibd automatically runs as root in such a situation.
* What was the outcome of this action?
/var/log/shibboleth/shibd.log lists:
2018-11-08 08:30:59 ERROR OpenSSL : error code: 33558541 in bss_file.c, line 406
2018-11-08 08:30:59 ERROR OpenSSL : error data: fopen('.../conf/ssl/sp.key','r')
2018-11-08 08:30:59 ERROR OpenSSL : error code: 537346050 in bss_file.c, line
408
* What outcome did you expect instead?
Either the same logic as on jessie or a more prominent hint for the admin to
adapt to the new situation.
* What caused the problem?
On jessie, there is no explict systemd service file but one is generated from
/etc/init.d/shibd as /run/systemd/generator.late/shibd.service
so the whole init.d logic is also available to systemd. This logic has been
amended by debian/patches/Improve-shibd-init-script.patch's
prepare_environment() which runs shibd in test mode, looks for the error above
and then automatically disables running as $DAEMON_USER
The associated warning is easily overseen as the logs are noisy and everything
is fine.
On stretch, there is a /lib/systemd/system/shibd.service which misses both the
automatism and the warning.
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages shibboleth-sp2-utils depends on:
ii adduser 3.115
ii init-system-helpers 1.48
ii libc62.24-11+deb9u3
ii libfcgi0ldbl 2.4.0-8.4+b1
ii libgcc1 1:6.3.0-18+deb9u1
ii liblog4shib1v5 1.0.9-3
ii libsaml9 2.6.0-4+deb9u1
ii libshibsp-plugins2.6.0+dfsg1-4+deb9u1
ii libshibsp7 2.6.0+dfsg1-4+deb9u1
ii libstdc++6 6.3.0-18+deb9u1
ii libsystemd0 232-25+deb9u4
ii libxerces-c3.1 3.1.4+debian-2+deb9u1
ii libxmltooling7 1.6.0-4+deb9u1
ii lsb-base 9.20161125
Versions of packages shibboleth-sp2-utils recommends:
ii openssl 1.1.0f-3+deb9u2
shibboleth-sp2-utils suggests no packages.
-- debconf-show failed
