Package: sssd Version: 2.10.1-2 Severity: important Hi,
the sssd.service as present on Debian/trixie automatically sets read permissions for the group for all files within /etc/sssd/, and also modifies ownership permissions of /var/lib/sss/ + /var/log/sssd/. Example: # ls -la /etc/sssd/sssd.conf -rw------- 1 root root 3394 Aug 7 17:37 /etc/sssd/sssd.conf # systemctl restart sssd # ls -la /etc/sssd/sssd.conf -rw-r----- 1 root root 3394 Aug 7 17:37 /etc/sssd/sssd.conf This is caused by /usr/lib/systemd/system/sssd.service with its: ExecStartPre=+-/bin/chown -f -R root:root /etc/sssd ExecStartPre=+-/bin/chmod -f -R g+r /etc/sssd ExecStartPre=+-/bin/sh -c "/bin/chown -f root:root /var/lib/sss/db/*.ldb" ExecStartPre=+-/bin/chown -f -R root:root /var/lib/sss/gpo_cache ExecStartPre=+-/bin/sh -c "/bin/chown -f root:root /var/log/sssd/*.log" The underlying change is coming from https://github.com/SSSD/sssd/commit/8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb: | commit 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb | Author: Alexey Tikhonov <[email protected]> | Date: Thu Oct 24 15:34:26 2024 +0200 | | Configuration: make sure /etc/sssd and everything | | beneath is owned by 'sssd' group and readable by group. | | This should allow for reasonable rw-r----- root:sssd | | At some points those chown/chmod can be removed. | [...] IMO this is something that shouldn't be done at all, but especially not something for Debian. If at all, such a behavior change *could* be implemented in maintainer scripts for upgrades to run *once*, but surely not within each service restart, overwriting any permission/ownership changes implemented by the local administrator. (It's especially annoying, as sssd even fails to start with the 0640 permissions on e.g. bookworm, and when deploying such a change via configuration management, this now needs distribution specific workarounds.) regards -mika-
