Bug 1287100 - Unable to restart sssd due to world readable file permissions for /etc/sssd/sssd.conf
Unable to restart sssd due to world readable file permissions for /etc/sssd/s...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-01 08:58 EST by Abhijeet Kasurde
Modified: 2015-12-01 09:53 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-01 09:53:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ipa-client-install.log (1.94 KB, text/plain)
2015-12-01 08:58 EST, Abhijeet Kasurde
no flags Details

  None (edit)
Description Abhijeet Kasurde 2015-12-01 08:58:55 EST
Created attachment 1100926 [details]
ipa-client-install.log

Description of problem:
While installing IPA client on test machine found that SSSD service always fails to restart. Found that 

# ls -lh /etc/sssd/sssd.conf
-rw-r--r--. 1 root root 483 Dec  1 19:12 /etc/sssd/sssd.conf

changing permissions from 644 to 600 fixes issue.

Version-Release number of selected component (if applicable):
sssd-1.13.0-39.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Try to enroll system into IPA environment using 'ipa-client-install'
2. 

Actual results:
ipa-client-install fails to restart sssd service 

Expected results:
ipa-client-install should be able to restart sssd service


Additional info:

ipa-client-install can restart service sssd after changing permission to 600 for file /etc/sssd/sssd.conf
Comment 1 Sumit Bose 2015-12-01 09:04:12 EST
Since ipa-client-install configures SSSD I think ipa-client-install should make sure that the permissions on the file are correct.

Moving to ipa.
Comment 2 Lukas Slebodnik 2015-12-01 09:05:56 EST
It's not bug in sssd. It's expected behaviour.

The file /etc/sssd/sssd.conf should be readable only by root.
sh# ls -l /etc/sssd/sssd.conf
-rw-------. 1 root root 4334 Dec  1 13:29 /etc/sssd/sssd.conf

Did you have /etc/sssd/sssd.conf on you machine before enrolling to IPA server?
If the file did not exist then it might be an issue in ipa-client.
Comment 3 Lukas Slebodnik 2015-12-01 09:11:51 EST
sssd set umast to 0o177 in method write (class SSSDConfig)
/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py
1468         old_umask = os.umask(0o177)
1469         of = open(outputfile, "wb")
1470         output = self.dump(self.opts).encode('utf-8')
1471         of.write(output)
1472         of.close()
1473         os.umask(old_umask)
Comment 4 Abhijeet Kasurde 2015-12-01 09:53:21 EST
Closing bz as CLOSED NOTABUG as due to mis-configuration file permissions got changed for /etc/sssd/sssd.conf.

Note You need to log in before you can comment on or make changes to this bug.