You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[This bug is a clone of #425 from a few years ago]
SSSD is refusing to start because sssd.conf has permissions 644 instead of 600. In this situation, there is no sensitive information in sssd.conf, and the requirement that it have specific permissions is unreasonable. In fact, since this configuration file is in version control at our site, the default permission is 644, and it would be extremely easy for the file to accidentally get chmodded 644 again. The system will disallow logins if the config file is chmodded 644 at any point.
I understand that the intention is to make sure that any passwords that might be included in the config file are not publicly readable. A few alternative ways to deal with the intended security include:
Postfix puts passwords in a separate file, as does Apache with SSL keys. I'm sure there are many other examples of this general model. These systems enforce permissions for the sensitive files but not for the general configiguration. Not only does this make system administration easier, it also means that people are less likely to accidentally post sensitive information in bug reports.
Other systems, like libvirt, named, and cups set their configuration to be unreadable by default, but they don't fail if the permissions are changed by the administrator.
It's not pretty, but maybe there could be a new command-line option: --i-swear-i-dont-have-any-passwords-in-the-config-please-just-start.
Okay, so (3) isn't a serious suggestion, but I think (1) would be a really good idea. If anything, I think it actually improves security.
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/1413
[This bug is a clone of #425 from a few years ago]
SSSD is refusing to start because sssd.conf has permissions 644 instead of 600. In this situation, there is no sensitive information in sssd.conf, and the requirement that it have specific permissions is unreasonable. In fact, since this configuration file is in version control at our site, the default permission is 644, and it would be extremely easy for the file to accidentally get chmodded 644 again. The system will disallow logins if the config file is chmodded 644 at any point.
I understand that the intention is to make sure that any passwords that might be included in the config file are not publicly readable. A few alternative ways to deal with the intended security include:
Postfix puts passwords in a separate file, as does Apache with SSL keys. I'm sure there are many other examples of this general model. These systems enforce permissions for the sensitive files but not for the general configiguration. Not only does this make system administration easier, it also means that people are less likely to accidentally post sensitive information in bug reports.
Other systems, like libvirt, named, and cups set their configuration to be unreadable by default, but they don't fail if the permissions are changed by the administrator.
It's not pretty, but maybe there could be a new command-line option: --i-swear-i-dont-have-any-passwords-in-the-config-please-just-start.
Okay, so (3) isn't a serious suggestion, but I think (1) would be a really good idea. If anything, I think it actually improves security.
Comments
Comment from dpal at 2012-07-12 18:45:40
Fields changed
milestone: NEEDS_TRIAGE => SSSD Deferred
Comment from dpal at 2012-07-12 18:46:16
Fields changed
rhbz: => todo
Comment from jamespfinn at 2014-04-15 19:18:26
Fields changed
cc: => jamespfinn@gmail.com
changelog: =>
design: =>
design_review: => 0
fedora_test_page: =>
review: => 0
selected: =>
Comment from amcnabb at 2017-02-24 14:25:24
Metadata Update from @amcnabb:
Comment from jhrozek at 2017-05-24 20:38:07
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-05-24 20:38:07
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-05-24 20:38:07
Issue linked to Bugzilla: Bug 1455257
Comment from pbrezina at 2020-03-24 14:21:04
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Comment from pbrezina at 2020-03-24 14:21:05
Metadata Update from @pbrezina:
The text was updated successfully, but these errors were encountered: