#1413 sssd.conf required to have permissions 0600
Closed: wontfix 4 years ago by pbrezina. Opened 11 years ago by amcnabb.

[This bug is a clone of #425 from a few years ago]

SSSD is refusing to start because sssd.conf has permissions 644 instead of 600. In this situation, there is no sensitive information in sssd.conf, and the requirement that it have specific permissions is unreasonable. In fact, since this configuration file is in version control at our site, the default permission is 644, and it would be extremely easy for the file to accidentally get chmodded 644 again. The system will disallow logins if the config file is chmodded 644 at any point.

I understand that the intention is to make sure that any passwords that might be included in the config file are not publicly readable. A few alternative ways to deal with the intended security include:

1) Postfix puts passwords in a separate file, as does Apache with SSL keys. I'm sure there are many other examples of this general model. These systems enforce permissions for the sensitive files but not for the general configiguration. Not only does this make system administration easier, it also means that people are less likely to accidentally post sensitive information in bug reports.

2) Other systems, like libvirt, named, and cups set their configuration to be unreadable by default, but they don't fail if the permissions are changed by the administrator.

3) It's not pretty, but maybe there could be a new command-line option: --i-swear-i-dont-have-any-passwords-in-the-config-please-just-start.

Okay, so (3) isn't a serious suggestion, but I think (1) would be a really good idea. If anything, I think it actually improves security.


Fields changed

milestone: NEEDS_TRIAGE => SSSD Deferred

Fields changed

rhbz: => todo

Fields changed

cc: => jamespfinn@gmail.com
changelog: =>
design: =>
design_review: => 0
fedora_test_page: =>
review: => 0
selected: =>

Metadata Update from @amcnabb:
- Issue set to the milestone: SSSD Patches welcome

7 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455257 (was: todo)

6 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455257 (was: todo)

6 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2455

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata