| 1 |
>>> I have to chown munin:nginx and chmod g+x on directory /run/munin/ |
| 2 |
>>> after every reboot. The munin list suggests altering the initscript |
| 3 |
>>> but is there a better way? |
| 4 |
>> |
| 5 |
>> There are ways, but I wouldn't call them better. |
| 6 |
> |
| 7 |
> The way to do it nowadays would be by placing a file with the content |
| 8 |
> d /run/munin 0775 munin nginx |
| 9 |
> into /usr/lib/tmpfiles.d (if done by the distribution) or into |
| 10 |
> /etc/tmpfiles.d (if this is only needed for your special setup). |
| 11 |
|
| 12 |
|
| 13 |
Will do. Is that leading "d " supposed to be there? |
| 14 |
|
| 15 |
Am I creating and editing /etc/tmpfiles.d or /etc/tmpfiles.d/anyfilename ? |
| 16 |
|
| 17 |
- Grant |
| 18 |
|
| 19 |
|
| 20 |
>> /run is often a tmpfs so the dir has to be mkdir'ed somehow after reboot |
| 21 |
>> anyway. The initscript is the perfect place to do it. |
| 22 |
> |
| 23 |
> No, it is not the perfect place, because such a thing would |
| 24 |
> be strange to do if e.g. the initscript is restarted or |
| 25 |
> started only very late for some reasons (possibly hours |
| 26 |
> after the system start, if munin is not needed immediately.) |
| 27 |
> (OK, in /run it is not a security risk, but in world-writable |
| 28 |
> directories there exist symlink attacks or other bad things |
| 29 |
> if you create dirs/files too late and with a predictable name. |
| 30 |
> For dirs, it might be possible if you are *very* careful, |
| 31 |
> but the obvious "mkdir ...; chown ...; chmod ..." would be a |
| 32 |
> horrible security failure.) |
| 33 |
> |
| 34 |
> Moreover, it is an init-system specific solution |
| 35 |
> while you can have a general solution. |
| 36 |
> Meanwhile, at least openrc and systemd both support the |
| 37 |
> tmpfiles.d subdirectories; I do not know the state of |
| 38 |
> other init-systems, but it is not hard to extend any |
| 39 |
> init-system of your choice to support these directories. |
| 40 |
> In any case, they are more compatible than a solution |
| 41 |
> which works with only *one* init-system. |
Archives