Bug 1287100
| Summary: | Unable to restart sssd due to world readable file permissions for /etc/sssd/sssd.conf | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Abhijeet Kasurde <akasurde> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl, rcritten, sbose | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-12-01 14:53:21 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Since ipa-client-install configures SSSD I think ipa-client-install should make sure that the permissions on the file are correct. Moving to ipa. It's not bug in sssd. It's expected behaviour. The file /etc/sssd/sssd.conf should be readable only by root. sh# ls -l /etc/sssd/sssd.conf -rw-------. 1 root root 4334 Dec 1 13:29 /etc/sssd/sssd.conf Did you have /etc/sssd/sssd.conf on you machine before enrolling to IPA server? If the file did not exist then it might be an issue in ipa-client. sssd set umast to 0o177 in method write (class SSSDConfig)
/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py
1468 old_umask = os.umask(0o177)
1469 of = open(outputfile, "wb")
1470 output = self.dump(self.opts).encode('utf-8')
1471 of.write(output)
1472 of.close()
1473 os.umask(old_umask)
Closing bz as CLOSED NOTABUG as due to mis-configuration file permissions got changed for /etc/sssd/sssd.conf. |
Created attachment 1100926 [details] ipa-client-install.log Description of problem: While installing IPA client on test machine found that SSSD service always fails to restart. Found that # ls -lh /etc/sssd/sssd.conf -rw-r--r--. 1 root root 483 Dec 1 19:12 /etc/sssd/sssd.conf changing permissions from 644 to 600 fixes issue. Version-Release number of selected component (if applicable): sssd-1.13.0-39.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Try to enroll system into IPA environment using 'ipa-client-install' 2. Actual results: ipa-client-install fails to restart sssd service Expected results: ipa-client-install should be able to restart sssd service Additional info: ipa-client-install can restart service sssd after changing permission to 600 for file /etc/sssd/sssd.conf