Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#57456 - [munin] Root writing to a dir owned by a user

Attached to Project: Arch Linux
Opened by Doug Newgard (Scimmia) - Saturday, 10 February 2018, 07:16 GMT
Last edited by Jelle van der Waa (jelly) - Sunday, 13 September 2020, 11:52 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

The tmpfiles entry in this package creates /run/munin/ as owned by munin:munin, but then the service files run the daemons as root, causing the PID files to be written as root to a dir owned by a user. This is a security risk and systemd has disabled this in the current version, but relaxed them a bit as too many daemons do the wrong thing here. See https://github.com/systemd/systemd/issues/8085

The service files should either be run as the user or the dir should be owned by root:root.
This task depends upon

Comment by Richard (nerux) - Sunday, 11 February 2018, 19:33 GMT
I confirm this issue.
Comment by Doug Newgard (Scimmia) - Sunday, 11 February 2018, 19:46 GMT
Demize brought up a 3rd option in  FS#57457 . If it's possible to simply have the daemon not fork, that would be a better solution that those I mentioned earlier.
Comment by Pierre-Alain TORET (daftaupe) - Thursday, 05 April 2018, 13:58 GMT
It seems we can make the munin-node process run as a foreground process by changing the config file /etc/munin/munin-node.conf
background 0
setsid 0
taken from http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html
Comment by Levente Polyak (anthraxx) - Thursday, 05 April 2018, 14:09 GMT
we should check if the service can be run as a user instead of root, that would make lot more sense and be safer not running services as root
Comment by Pierre-Alain TORET (daftaupe) - Thursday, 05 April 2018, 14:11 GMT
Well the config file has user / group settings, so I guess that would work.

edit : I tried, munin-node can be run as munin:munin if user/group properties are properly setup in the config file.
As a consequence the permissions on /var/lib/munin/plugin-state/nobody/ have to be adapted accordingly

Loading...