Red Hat Bugzilla – Bug 1293941
Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible
Last modified: 2016-11-04 02:12:43 EDT
Description of problem: Dec 23 15:44:55 tux systemd: Configuration file /usr/lib/systemd/system /auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Version-Release number of selected component (if applicable): systemd-219-19.el7.x86_64 audit-2.4.1-5.el7.x86_64 How reproducible: Everytime, e.g. after reboot. Actual results: Unnecessary warnings in /var/log/messages. Expected results: No warnings in /var/log/messages.
Cross-filed case 01558859 on the Red Hat customer portal.
*** Bug 1300337 has been marked as a duplicate of this bug. ***
*** Bug 1301177 has been marked as a duplicate of this bug. ***
*** Bug 1291464 has been marked as a duplicate of this bug. ***
I think that actually systemd is wrong to demand unit files to be world-readable, there is no real justification for that and it also limits the ability to specify semi-sensitive stuff in the unit files (previously it was possible to make a unit file readable to root only, so you could have put stuff only root was supposed to see). That recent change in systemd is actually was badly thought-out since there are numerous packages which are quite strict with permissions (and it is actually a good thing to be strict and follow the least-privilege principle), as the result the system logs are spammed with that useless warning.
If I want to know what's inside of the auditd systemd unit file, I simply can download the package from CentOS and look inside - thus I dislike your argumentation. I even can run "systemctl status auditd.service" etc. as a user to see what's actually performed and running. Anyway, this bug report is *not* about making the auditd systemd unit file world-readable, but just and only about removing the message that is spewed to the logs (and I less care how this is achieved, either by fixing permissions or by disabling the code path causing the log message). If you would like to discuss this, I kindly suggest to follow up the dependent bug #1241565 where discussions about this happened.
audit-2.5.2-1.el7 has been built to address this issue.
Successfully reproduced and verified. OLD === # rpm -q audit audit-2.4.1-5.el7.x86_64 # ls -l /usr/lib/systemd/system/auditd.service -rw-r-----. 1 root root 669 Jan 14 2015 /usr/lib/systemd/system/auditd.service NEW === # rpm -q audit audit-2.6.1-1.el7.x86_64 # ls -l /usr/lib/systemd/system/auditd.service -rw-r--r--. 1 root root 879 Jun 29 08:16 /usr/lib/systemd/system/auditd.service
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2418.html