Hello,
today, I was stumbling about this issue with Trixie.
Indeed, here, sssd.conf is managed by Ansible which ensures file
permissions are 0600 during each playbook execution following a restart
of the sssd service if sssd.conf has changed. As a result, the playbook
is reporting 2 changes each time which is misleading and requires a fix.
Some tests with systemd overrides have shown, that the new sssd in
Trixie happily accepts any permission for OWNER and GROUP, as long as
there is nothing configured for OTHERS, examples:
- good: 0400, 0440, 0600, 0640, 0660, etc.
- bad: 0444, 0644, 0664, 0666, etc.
I endorse the view of mika. Changing file permissions during each
service start is unexpected and not usual practice as far as I know.
These kind of settings should be documented and if at all, only executed
once during package installation and/or upgrade.
Besides, sssd is reporting wrong permissions just fine with a clear
error and does not start, same as before with bookworm.
In addition, the upstream commit is talking about giving read to a group
called 'sssd'. On my system, this group is existing, but it is not
utilized here (chown ... root:root...). Therefore, the additional read
permission for the group is more or less redundant.
The new behavior is forcing everybody with config mgmt tools to
implement a fix. With the old behavior there would be no change
necessary at all.
There is another issue. Let's say, someone decides that a group (of
users) should be allowed to edit sssd.conf. In this case, the desired
group write permissions would not persist and the only way to solve the
situation is to change the sssd service. Luckily, systemd allows doing
so with override files, but still, it would be a unnecessary burden.
I suggest to remove the 'ExecStartPre' settings again, even for the
Trixie stable release, because such a change would not break anything.
Thanks and Best Regards
Berni
