FS#57456 - [munin] Root writing to a dir owned by a user

Attached to Project: Community Packages
Opened by Doug Newgard (Scimmia) - Saturday, 10 February 2018, 07:16 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:00 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Santiago Torres (sangy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The tmpfiles entry in this package creates /run/munin/ as owned by munin:munin, but then the service files run the daemons as root, causing the PID files to be written as root to a dir owned by a user. This is a security risk and systemd has disabled this in the current version, but relaxed them a bit as too many daemons do the wrong thing here. See https://github.com/systemd/systemd/issues/8085

The service files should either be run as the user or the dir should be owned by root:root.
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:00 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/munin/issues/2
Comment by Richard (nerux) - Sunday, 11 February 2018, 19:33 GMT
I confirm this issue.
Comment by Doug Newgard (Scimmia) - Sunday, 11 February 2018, 19:46 GMT
Demize brought up a 3rd option in  FS#57457 . If it's possible to simply have the daemon not fork, that would be a better solution that those I mentioned earlier.
Comment by Pierre-Alain TORET (daftaupe) - Thursday, 05 April 2018, 13:58 GMT
It seems we can make the munin-node process run as a foreground process by changing the config file /etc/munin/munin-node.conf
background 0
setsid 0
taken from http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html
Comment by Levente Polyak (anthraxx) - Thursday, 05 April 2018, 14:09 GMT
we should check if the service can be run as a user instead of root, that would make lot more sense and be safer not running services as root
Comment by Pierre-Alain TORET (daftaupe) - Thursday, 05 April 2018, 14:11 GMT
Well the config file has user / group settings, so I guess that would work.

edit : I tried, munin-node can be run as munin:munin if user/group properties are properly setup in the config file.
As a consequence the permissions on /var/lib/munin/plugin-state/nobody/ have to be adapted accordingly
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...