Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)

Ferenc W√°gner wagner.ferenc at kifu.gov.hu
Tue Nov 13 10:52:41 GMT 2018

Andreas Ley <Andreas.Ley at kit.edu> writes:

> Did not realize there now is a _shibd user that needs to access the
> keys since on jessie, shibd automatically runs as root in such a
> situation.
> [...]
> On stretch, there is a /lib/systemd/system/shibd.service which misses
> both the automatism and the warning.

Hi Andreas,

I can see the problem, but I'm not sure how to improve on this.  We
don't want to support running shibd as root, so we added the warning to
prod admins to migrate under jessie.  There was a NEWS entry as well.
Systemd can't really provide a fallback to root anyway.  Now we're
nearing the buster freeze already; I think the best thing to do would be
decoding the error codes so that the daemon prints human readable error
messages (for example "permission denied" in this case).  Would you find
that a valid fix?  However, this wouldn't help current stretch users
(who must have already solved this) nor future upgrades to buster.
Still, it would be a slight improvement upstream, I guess.

More information about the Pkg-shibboleth-devel mailing list