Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)

Andreas Ley Andreas.Ley at kit.edu
Tue Nov 13 13:08:19 GMT 2018

> I can see the problem, but I'm not sure how to improve on this.  We
> don't want to support running shibd as root, so we added the warning to

I'm totally with you here!

> prod admins to migrate under jessie.

It seems you didn't use a big enough cattle prod here ;-) Without the
explicit systemd service, it still runs seamlessly as root...

> There was a NEWS entry as well.

I had something in mind like the warning mails I get for behaviour changes
from unattended upgrades... Since I don't do dist-upgrades, but clean
re-installs to get rid of no-longer-needed stuff on my servers, it seems
I have to improve my reading and include all the NEWS* files for all the

> Systemd can't really provide a fallback to root anyway.  Now we're
> nearing the buster freeze already; I think the best thing to do would be
> decoding the error codes so that the daemon prints human readable error
> messages (for example "permission denied" in this case).  Would you find
> that a valid fix?  However, this wouldn't help current stretch users
> (who must have already solved this) nor future upgrades to buster.
> Still, it would be a slight improvement upstream, I guess.

Yes, this might help - and now that I'm better aware of the NEWS* files,
perhaps an entry in a shibboleth-sp2-utils (where _this_ change really
happend) NEWS file, like, "now we have a systemd service, now you not
only SHOULD change to _shibd, now you MUST" or anything more prominent.

You're right, you did document the change, and it's the ignorant admins
out there that have a problem, so everything should be fine, but now that
you know of these admins, perhaps you stumble upon a bigger prod - if not,
ok, it's us admins that have to learn the hard way ;-)

Thanks for your time, for the work that you put in these packages and for
dealing with people like me :)

Bye, Andy

Andreas Ley, SCC, Karlsruhe Institute of Technology (KIT), D-76128 Karlsruhe
E-Mail: Andreas.Ley at kit.edu, Telephone: +49 721 608 46341, Fax: +49 721 32550
"It's 106 ms to Chicago, we've got a full disk of GIFs, half a meg of hypertext,
it's dark, and we're wearing sunglasses."  "Click it." -- Christopher Davis

More information about the Pkg-shibboleth-devel mailing list