When sssd is built with --with-sssd-user=sssd and runs as sssd user, new logs and db files are owned by sssd:sssd with mode 600:
# ls -l /var/log/sssd/sssd.log
-rw-------. 1 sssd sssd 424 abr 15 16:34 sssd.log
If someone wants to run as root again, the recommended way is to override the service unit file like:
[Service]
User=root
Group=root
SupplementaryGroups=sssd
But the daemon will not start due to permission issues opening log / db files:
sssd[7220]: Could not open file [/var/log/sssd/sssd.log]. Error: [13][Permission denied]
[sssd] [ldb] (0x0020): Failed to connect to '/var/lib/sss/db/cache_xxxxxx.ldb' with backend 'tdb': Unable to open tdb '/var/lib/sss/db/cache_xxxxxx.ldb': Permission denied
The reason is that the ExecStartPre statements in the service unit chown /var/lib/sss/db/*.ldb and /var/log/sssd/*.log* to sssd:sssd but the mode remains 600. Removing the existent files will allow the service to start, but only once.
To better support this scenario I propose:
- To fix the mode of new files, update the default umask to grant group permissions when non-root support is built:
/* Default secure umask */
+#ifdef SSSD_NON_ROOT_USER
+#define SSS_DFL_UMASK 0117
+#else
#define SSS_DFL_UMASK 0177
+#endif
/* Secure mask with executable bit */
+#ifdef SSSD_NON_ROOT_USER
+#define SSS_DFL_X_UMASK 0007
+#else
#define SSS_DFL_X_UMASK 0077
+#endif
With this change, new logs and db files will be created with mode 0660 and new directories with 0770, always granting sssd group access regardless running as root or sssd.
-
To fix the mode of existent files (when upgrading from < 2.10), add more ExecStartPre to chmod g+rw the necessary paths.
-
To fix the ownership of new files:
- Change the ExecStartPre to only
chgrp sssd instead of chown sssd:sssd. Avoids the ownership "dance" between root and sssd.
- Either:
- Set the
setgid bit in the relevant directories so new files are always owned by sssd group, assuming the parent directory is owned by sssd group.
- Or set
User=root in the override file but keep Group=sssd. New files will be owned by root:sssd. No need to add sssd supplementary group. I would prefer this one.
What do you think about these changes?
When sssd is built with
--with-sssd-user=sssdand runs assssduser, new logs and db files are owned bysssd:sssdwith mode 600:If someone wants to run as root again, the recommended way is to override the service unit file like:
But the daemon will not start due to permission issues opening log / db files:
sssd[7220]: Could not open file [/var/log/sssd/sssd.log]. Error: [13][Permission denied][sssd] [ldb] (0x0020): Failed to connect to '/var/lib/sss/db/cache_xxxxxx.ldb' with backend 'tdb': Unable to open tdb '/var/lib/sss/db/cache_xxxxxx.ldb': Permission deniedThe reason is that the
ExecStartPrestatements in the service unit chown/var/lib/sss/db/*.ldband/var/log/sssd/*.log*tosssd:sssdbut the mode remains600. Removing the existent files will allow the service to start, but only once.To better support this scenario I propose:
With this change, new logs and db files will be created with mode 0660 and new directories with 0770, always granting
sssdgroup access regardless running asrootorsssd.To fix the mode of existent files (when upgrading from < 2.10), add more ExecStartPre to
chmod g+rwthe necessary paths.To fix the ownership of new files:
chgrp sssdinstead ofchown sssd:sssd. Avoids the ownership "dance" betweenrootandsssd.setgidbit in the relevant directories so new files are always owned bysssdgroup, assuming the parent directory is owned bysssdgroup.User=rootin the override file but keepGroup=sssd. New files will be owned byroot:sssd. No need to addsssdsupplementary group. I would prefer this one.What do you think about these changes?