[Pkg-sssd-devel] Bug#1110823: sssd.service modifies file permissions on each service startup

[Michael Prokop]

Package: sssd
Version: 2.10.1-2
Severity: important

Hi,

the sssd.service as present on Debian/trixie automatically sets read
permissions for the group for all files within /etc/sssd/, and also
modifies ownership permissions of /var/lib/sss/ + /var/log/sssd/.

Example:

  # ls -la /etc/sssd/sssd.conf
   -rw------- 1 root root 3394 Aug  7 17:37 /etc/sssd/sssd.conf
  # systemctl restart sssd
  # ls -la /etc/sssd/sssd.conf
   -rw-r----- 1 root root 3394 Aug  7 17:37 /etc/sssd/sssd.conf

This is caused by /usr/lib/systemd/system/sssd.service with its:

  ExecStartPre=+-/bin/chown -f -R root:root /etc/sssd
  ExecStartPre=+-/bin/chmod -f -R g+r /etc/sssd
  ExecStartPre=+-/bin/sh -c "/bin/chown -f root:root /var/lib/sss/db/*.ldb"
  ExecStartPre=+-/bin/chown -f -R root:root /var/lib/sss/gpo_cache
  ExecStartPre=+-/bin/sh -c "/bin/chown -f root:root /var/log/sssd/*.log"

The underlying change is coming from
https://github.com/SSSD/sssd/commit/8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb:

| commit 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb
| Author: Alexey Tikhonov <atikhono at redhat.com>
| Date:   Thu Oct 24 15:34:26 2024 +0200
|
|     Configuration: make sure /etc/sssd and everything
|
|     beneath is owned by 'sssd' group and readable by group.
|
|     This should allow for reasonable rw-r----- root:sssd
|
|     At some points those chown/chmod can be removed.
| [...]

IMO this is something that shouldn't be done at all, but especially
not something for Debian. If at all, such a behavior change *could*
be implemented in maintainer scripts for upgrades to run *once*, but
surely not within each service restart, overwriting any
permission/ownership changes implemented by the local administrator.
(It's especially annoying, as sssd even fails to start with the 0640
permissions on e.g. bookworm, and when deploying such a change via
configuration management, this now needs distribution specific
workarounds.)

regards
-mika-