debian/authd.service: Don't set mode for /etc/authd

[adombeck]

When installing the Debian package, the directory is created with mode 0777 - umask (so 0755 by default). Telling systemd that it should be 0700 results in the following warning in the logs:

authd.service: ConfigurationDirectory 'authd' already exists but the mode is different. (File system: 755 ConfigurationDirectoryMode: 700)

Commit 9ff0d1a intended to fix that by changing the mode to 0700 but only did so when updating from a version < 0.4.0.

The directory doesn't contain any secrets, so it's fine to use the default mode. That has some UX benefits because it allows users to use shell completion for paths below /etc/authd and to read the config file without sudo.

[adombeck]

Commit 9ff0d1a intended to fix that by changing the mode to 0700 but only did so when updating from a version < 0.4.0.

I only noticed that today because apparently I never removed the existing /etc/authd directory with 0700 permissions in my testing VM (apt purge keeps it around if it's not empty).

Regarding enforcing 0700 vs allowing 0755, I know we had that discussion before on #753. There both @3v1n0 and @didrocks had a slight preference for the stricter permissions. After many months of using an /etc/authd with 0700, I can say that I did find it annoying to not have tab completion for paths below that directory, e.g. when looking at the config file or the brokers.d subdirectory. So I have a stronger feeling now that we should use the 0755 permissions as long as the directory doesn't contain any secrets, which it currently does not.

@3v1n0, on #753 (comment) you suggested that we should keep it secret which brokers are configured. That is not really secret though, there are several other unprivileged ways to see which brokers are available:

• Looking at the D-Bus system bus to see which brokers are running
• Looking at /var/snap to see which brokers are installed
• Starting a process that uses PAM

[3v1n0]

That has some UX benefits because it allows users to use shell completion for paths below /etc/authd and to read the config file without sudo.

Well, there are no secrets, but still the user can now more how the system is configured (if we're doing users mapping, that would be at snap scope, right?), likely not an issue for now but I wonder why SSSD uses 700 for that.

[3v1n0]

I can say that I did find it annoying to not have tab completion for paths below that directory, e.g. when looking at the config file or the brokers.d subdirectory.

Yeah, I understand the developer feeling, but that's not who we should target IMHO. It's fine if you do it in your system

[adombeck]

Yeah, I understand the developer feeling, but that's not who we should target IMHO

our users (admins who configure authd) also have to use those files, and that would improve UX for them too

[adombeck]

I wonder why SSSD uses 700 for that

it seems like some of the options in sssd.conf can contain cleartext secrets:

    ldap_default_authtok (string) 
    The authentication token of the default bind DN. Only clear text passwords are currently supported.