Learn more about these different git repos.
Other Git URLs
[This bug is a clone of #425 from a few years ago]
SSSD is refusing to start because sssd.conf has permissions 644 instead of 600. In this situation, there is no sensitive information in sssd.conf, and the requirement that it have specific permissions is unreasonable. In fact, since this configuration file is in version control at our site, the default permission is 644, and it would be extremely easy for the file to accidentally get chmodded 644 again. The system will disallow logins if the config file is chmodded 644 at any point.
I understand that the intention is to make sure that any passwords that might be included in the config file are not publicly readable. A few alternative ways to deal with the intended security include:
1) Postfix puts passwords in a separate file, as does Apache with SSL keys. I'm sure there are many other examples of this general model. These systems enforce permissions for the sensitive files but not for the general configiguration. Not only does this make system administration easier, it also means that people are less likely to accidentally post sensitive information in bug reports.
2) Other systems, like libvirt, named, and cups set their configuration to be unreadable by default, but they don't fail if the permissions are changed by the administrator.
3) It's not pretty, but maybe there could be a new command-line option: --i-swear-i-dont-have-any-passwords-in-the-config-please-just-start.
Okay, so (3) isn't a serious suggestion, but I think (1) would be a really good idea. If anything, I think it actually improves security.
Fields changed
milestone: NEEDS_TRIAGE => SSSD Deferred
rhbz: => todo
cc: => jamespfinn@gmail.com changelog: => design: => design_review: => 0 fedora_test_page: => review: => 0 selected: =>
Metadata Update from @amcnabb: - Issue set to the milestone: SSSD Patches welcome
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455257 (was: todo)
Issue linked to Bugzilla: Bug 1455257
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Metadata Update from @pbrezina: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2455
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.