Bug 1293941 - Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible
Configuration file /usr/lib/systemd/system/auditd.service is marked world-ina...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Steve Grubb
Ondrej Moriš
: 1291464 1300337 1301177 (view as bug list)
Depends On: 1241565
Blocks: 1203710 1296594 1313485
  Show dependency treegraph
Reported: 2015-12-23 10:49 EST by Robert Scheck
Modified: 2016-11-04 02:12 EDT (History)
19 users (show)

See Also:
Fixed In Version: audit-2.5.2-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-04 02:12:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2418 normal SHIPPED_LIVE audit bug fix and enhancement update 2016-11-03 09:58:32 EDT

  None (edit)
Description Robert Scheck 2015-12-23 10:49:40 EST
Description of problem:
Dec 23 15:44:55 tux systemd: Configuration file /usr/lib/systemd/system
/auditd.service is marked world-inaccessible. This has no effect as
configuration data is accessible via APIs without restrictions. Proceeding

Version-Release number of selected component (if applicable):

How reproducible:
Everytime, e.g. after reboot.

Actual results:
Unnecessary warnings in /var/log/messages.

Expected results:
No warnings in /var/log/messages.
Comment 1 Robert Scheck 2015-12-23 10:50:37 EST
Cross-filed case 01558859 on the Red Hat customer portal.
Comment 4 Steve Grubb 2016-01-20 12:36:10 EST
*** Bug 1300337 has been marked as a duplicate of this bug. ***
Comment 6 Steve Grubb 2016-01-22 15:31:47 EST
*** Bug 1301177 has been marked as a duplicate of this bug. ***
Comment 10 Steve Grubb 2016-03-29 08:29:25 EDT
*** Bug 1291464 has been marked as a duplicate of this bug. ***
Comment 11 (GalaxyMaster) 2016-04-04 10:36:17 EDT
I think that actually systemd is wrong to demand unit files to be world-readable, there is no real justification for that and it also limits the ability to specify semi-sensitive stuff in the unit files (previously it was possible to make a unit file readable to root only, so you could have put stuff only root was supposed to see).

That recent change in systemd is actually was badly thought-out since there are numerous packages which are quite strict with permissions (and it is actually a good thing to be strict and follow the least-privilege principle), as the result the system logs are spammed with that useless warning.
Comment 12 Robert Scheck 2016-04-04 10:44:36 EDT
If I want to know what's inside of the auditd systemd unit file, I simply
can download the package from CentOS and look inside - thus I dislike your 
argumentation. I even can run "systemctl status auditd.service" etc. as a
user to see what's actually performed and running. Anyway, this bug report
is *not* about making the auditd systemd unit file world-readable, but just
and only about removing the message that is spewed to the logs (and I less
care how this is achieved, either by fixing permissions or by disabling the
code path causing the log message). If you would like to discuss this, I
kindly suggest to follow up the dependent bug #1241565 where discussions
about this happened.
Comment 13 Steve Grubb 2016-04-29 13:22:47 EDT
audit-2.5.2-1.el7 has been built to address this issue.
Comment 15 Ondrej Moriš 2016-06-30 04:46:57 EDT
Successfully reproduced and verified.

# rpm -q audit

# ls -l /usr/lib/systemd/system/auditd.service 
-rw-r-----. 1 root root 669 Jan 14  2015 /usr/lib/systemd/system/auditd.service

# rpm -q audit
# ls -l /usr/lib/systemd/system/auditd.service 
-rw-r--r--. 1 root root 879 Jun 29 08:16 /usr/lib/systemd/system/auditd.service
Comment 17 errata-xmlrpc 2016-11-04 02:12:43 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.