Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)
Andreas.Ley at kit.edu
Tue Nov 13 13:08:19 GMT 2018
> I can see the problem, but I'm not sure how to improve on this. We
> don't want to support running shibd as root, so we added the warning to
I'm totally with you here!
> prod admins to migrate under jessie.
It seems you didn't use a big enough cattle prod here ;-) Without the
explicit systemd service, it still runs seamlessly as root...
> There was a NEWS entry as well.
I had something in mind like the warning mails I get for behaviour changes
from unattended upgrades... Since I don't do dist-upgrades, but clean
re-installs to get rid of no-longer-needed stuff on my servers, it seems
I have to improve my reading and include all the NEWS* files for all the
> Systemd can't really provide a fallback to root anyway. Now we're
> nearing the buster freeze already; I think the best thing to do would be
> decoding the error codes so that the daemon prints human readable error
> messages (for example "permission denied" in this case). Would you find
> that a valid fix? However, this wouldn't help current stretch users
> (who must have already solved this) nor future upgrades to buster.
> Still, it would be a slight improvement upstream, I guess.
Yes, this might help - and now that I'm better aware of the NEWS* files,
perhaps an entry in a shibboleth-sp2-utils (where _this_ change really
happend) NEWS file, like, "now we have a systemd service, now you not
only SHOULD change to _shibd, now you MUST" or anything more prominent.
You're right, you did document the change, and it's the ignorant admins
out there that have a problem, so everything should be fine, but now that
you know of these admins, perhaps you stumble upon a bigger prod - if not,
ok, it's us admins that have to learn the hard way ;-)
Thanks for your time, for the work that you put in these packages and for
dealing with people like me :)
Andreas Ley, SCC, Karlsruhe Institute of Technology (KIT), D-76128 Karlsruhe
E-Mail: Andreas.Ley at kit.edu, Telephone: +49 721 608 46341, Fax: +49 721 32550
"It's 106 ms to Chicago, we've got a full disk of GIFs, half a meg of hypertext,
it's dark, and we're wearing sunglasses." "Click it." -- Christopher Davis
More information about the Pkg-shibboleth-devel