Bug 1293941
| Summary: | Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | audit | Assignee: | Steve Grubb <sgrubb> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.2 | CC: | brubisch, bs168, bugzilla, cww, gm.outside+redhat, goeran, jik, jscalf, mboswell, mjtrangoni, mvermaes, omoris, orion, pdwyer, pmoore, robert.scheck, sauchter, sgrubb, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | audit-2.5.2-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 06:12:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1241565 | ||
| Bug Blocks: | 1203710, 1296594, 1313485 | ||
|
Description
Robert Scheck
2015-12-23 15:49:40 UTC
Cross-filed case 01558859 on the Red Hat customer portal. *** Bug 1300337 has been marked as a duplicate of this bug. *** *** Bug 1301177 has been marked as a duplicate of this bug. *** *** Bug 1291464 has been marked as a duplicate of this bug. *** I think that actually systemd is wrong to demand unit files to be world-readable, there is no real justification for that and it also limits the ability to specify semi-sensitive stuff in the unit files (previously it was possible to make a unit file readable to root only, so you could have put stuff only root was supposed to see). That recent change in systemd is actually was badly thought-out since there are numerous packages which are quite strict with permissions (and it is actually a good thing to be strict and follow the least-privilege principle), as the result the system logs are spammed with that useless warning. If I want to know what's inside of the auditd systemd unit file, I simply can download the package from CentOS and look inside - thus I dislike your argumentation. I even can run "systemctl status auditd.service" etc. as a user to see what's actually performed and running. Anyway, this bug report is *not* about making the auditd systemd unit file world-readable, but just and only about removing the message that is spewed to the logs (and I less care how this is achieved, either by fixing permissions or by disabling the code path causing the log message). If you would like to discuss this, I kindly suggest to follow up the dependent bug #1241565 where discussions about this happened. audit-2.5.2-1.el7 has been built to address this issue. Successfully reproduced and verified. OLD === # rpm -q audit audit-2.4.1-5.el7.x86_64 # ls -l /usr/lib/systemd/system/auditd.service -rw-r-----. 1 root root 669 Jan 14 2015 /usr/lib/systemd/system/auditd.service NEW === # rpm -q audit audit-2.6.1-1.el7.x86_64 # ls -l /usr/lib/systemd/system/auditd.service -rw-r--r--. 1 root root 879 Jun 29 08:16 /usr/lib/systemd/system/auditd.service Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2418.html |