Unreported change of shibd user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shibboleth-sp2 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
In 18.04 the systemd unit file for shibd is configured to run shibd as the _shibd user instead of root. However, in previous versions this has always been root. Therefore, (besides the problems with curl, see #1776489 ) the upgrade results in shibd not working correctly since it can't write to the root owned logs it previously created, and often can't read the CredentialResolver key, since that would be owned by root if installed securely.
It would be sensible to at least add information on this change of user in the release notes of 18.04. I would also suggest a debconf notification in the package and preferably a script to at least chown log folders and files on upgrade. The key is hard to automate, but information from debconf or release notes should inform a sysadmin on how to continue.
Status changed to 'Confirmed' because the bug affects multiple users.