Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)

Andreas Ley Andreas.Ley at kit.edu
Thu Nov 8 14:52:43 GMT 2018

Package: shibboleth-sp2-utils
Version: 2.6.0+dfsg1-4+deb9u1
Severity: minor

Dear Maintainer,

   * What led up to the situation?

Migrated shibboleth x.509 keys (root owned, mode 400) from a jessie system to stretch.

   * What exactly did you do (or not do) that was effective (or

Did not realize there now is a _shibd user that needs to access the keys since on jessie, shibd automatically runs as root in such a situation.

   * What was the outcome of this action?

/var/log/shibboleth/shibd.log lists:

2018-11-08 08:30:59 ERROR OpenSSL : error code: 33558541 in bss_file.c, line 406
2018-11-08 08:30:59 ERROR OpenSSL : error data: fopen('.../conf/ssl/sp.key','r')
2018-11-08 08:30:59 ERROR OpenSSL : error code: 537346050 in bss_file.c, line 408

   * What outcome did you expect instead?

Either the same logic as on jessie or a more prominent hint for the admin to adapt to the new situation.

   * What caused the problem?

On jessie, there is no explict systemd service file but one is generated from /etc/init.d/shibd as /run/systemd/generator.late/shibd.service
so the whole init.d logic is also available to systemd. This logic has been amended by debian/patches/Improve-shibd-init-script.patch's
prepare_environment() which runs shibd in test mode, looks for the error above and then automatically disables running as $DAEMON_USER
The associated warning is easily overseen as the logs are noisy and everything is fine.

On stretch, there is a /lib/systemd/system/shibd.service which misses both the automatism and the warning.

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages shibboleth-sp2-utils depends on:
ii  adduser              3.115
ii  init-system-helpers  1.48
ii  libc6                2.24-11+deb9u3
ii  libfcgi0ldbl         2.4.0-8.4+b1
ii  libgcc1              1:6.3.0-18+deb9u1
ii  liblog4shib1v5       1.0.9-3
ii  libsaml9             2.6.0-4+deb9u1
ii  libshibsp-plugins    2.6.0+dfsg1-4+deb9u1
ii  libshibsp7           2.6.0+dfsg1-4+deb9u1
ii  libstdc++6           6.3.0-18+deb9u1
ii  libsystemd0          232-25+deb9u4
ii  libxerces-c3.1       3.1.4+debian-2+deb9u1
ii  libxmltooling7       1.6.0-4+deb9u1
ii  lsb-base             9.20161125

Versions of packages shibboleth-sp2-utils recommends:
ii  openssl  1.1.0f-3+deb9u2

shibboleth-sp2-utils suggests no packages.

-- debconf-show failed

More information about the Pkg-shibboleth-devel mailing list