Andreas Ley <andreas....@kit.edu> writes: > Did not realize there now is a _shibd user that needs to access the > keys since on jessie, shibd automatically runs as root in such a > situation. > [...] > On stretch, there is a /lib/systemd/system/shibd.service which misses > both the automatism and the warning.
Hi Andreas, I can see the problem, but I'm not sure how to improve on this. We don't want to support running shibd as root, so we added the warning to prod admins to migrate under jessie. There was a NEWS entry as well. Systemd can't really provide a fallback to root anyway. Now we're nearing the buster freeze already; I think the best thing to do would be decoding the error codes so that the daemon prints human readable error messages (for example "permission denied" in this case). Would you find that a valid fix? However, this wouldn't help current stretch users (who must have already solved this) nor future upgrades to buster. Still, it would be a slight improvement upstream, I guess. -- Regards, Feri
