Subsystems converted to using nuxwdog run as root user instead of pkiuser. Running subsystems as root is security issue.
For details see https://www.redhat.com/archives/pki-users/2015-August/msg00004.html https://www.redhat.com/archives/pki-users/2015-September/msg00000.html
Below is a quick instruction how to start the nuxwdog as pkiuser. Assuming an instance name is pki-tomcat.
systemctl stop pki-tomcatd-nuxwdog@pki-tomcat.service groupadd -r systemd-ask-password usermod -a -G systemd-ask-password pkiuser echo "d /run/systemd/ask-password 0775 root systemd-ask-password -" > /etc/tmpfiles.d/systemd-ask-password.conf /usr/bin/systemd-tmpfiles --create systemd-ask-password.conf mkdir /etc/systemd/system/pki-tomcatd-nuxwdog@service.d/ cat << EOF > /etc/systemd/system/pki-tomcatd-nuxwdog@service.d/override.conf [Service] User=pkiuser Group=pkiuser EOF systemctl daemon-reload find /var/lib/pki/ /var/log/pki/ /etc/pki/pki-tomcat/ -exec chown pkiuser:pkiuser '{}' + systemctl start pki-tomcatd-nuxwdog@pki-tomcat.service
Please create a fix or add a workaround to pki-server nuxwdog documentation.
Bugzilla Bug #1264206 - {DOC} - work around to run nuxwdog process as 'pkiuser' instead of 'root'
Metadata Update from @alekseychudov: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2161
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.