[Pkg-nagios-devel] Bug#831745: Bug#831745: icinga2: file/directory permission issues

Christoph Anton Mitterer calestyo at scientia.net
Tue Jul 19 14:08:59 UTC 2016

Hey again.

Perhaps some clarification on this from my side :-)

On Tue, 2016-07-19 at 01:06 +0200, Christoph Anton Mitterer wrote:
> I can't expect you'd change this to:
> ExecStartPre=/usr/lib/icinga2/prepare-dirs /etc/default/icinga2
> ?
I could for not live with the above, if it was implemented, which gives
people with other PHP SAPIs a way to change the permissions (along with

I can also fully understand, that you don't want to allow people to
change the user/group Icinga/Nagios itself runs under (i.e. nagios).

I though in good faith, that the alternative with the group-model (like
the icingaweb2 group does it), would be rather simple to adapt
throughout the Nagios/Icinga[1|2]/Icinga-Web[1|2]/Icinga-Classic-Web
packages, but maybe I'm just wrong or we didn't understand each other
when talking about it.
So let me try to explain it a bit more practically:

Let's take the command socket as example:
From the providing package's side:
- icinga2-common.postinst would create e.g. "icinga2_extcmd"
- icinga2-common.postre would remove icinga2_extcmd on purge
- the places that current set www-data for the external command socket
  would then use icinga2_extcmd. These are AFAICS:
  - /usr/lib/icinga2/icinga2 would instead use ICINGA2_COMMAND_GROUP=icinga2_extcmd
  - /etc/init.d/icinga2 would instead use DAEMON_CMDGROUP=icinga2_extcmd
  - optionally, debian/rules would instead use -DICINGA2_COMMAND_GROUP=icinga2_extcmd

From the using package's side:
Simply, all packages that may make use of the command socket, add their
group to the icinga2_extcmd, once on installation.
- So if you want to have everything running out-of-the-box with
  mod_php, we could simply do an adduser www-data icinga2_extcmd in
  e.g. Icinga Web[1|2] and Icinga Web Classic.
  AFAIU, things would continue to run out of the box.
- We could further add some docs to README.Debian, telling why this is
  done and that people can replace it in case they use a different PHP-
  user (or even several).
- Optionally, one could even do one step more: Each package like Icinga
  Web Classic, that adds www-data per default to the group, increases
  a counter stored somewhere in /var/lib/icinga.
  On package purges, the counter is decreased again, and  if it reaches
  0, www-data could be removed from the group.

Okay that's quite some text, but I think the underlying idea and actual
code is rather simple.
And the same one would need to do for other such "shared" resources,
e.g. /var/cache/icinga2, just with a different user, e.g.
And of course if only Icinga Classic Web needs /var/cache/icinga2, only
that would automatically add www-data to it. :-)

AFAICS this would need to be done for:
/run/icinga2 (maybe this doesn't even need www-data?)

So would be three cases for Icinga 2:

In case the above examples would change your opinion on the matter, I could of course again try to start with some patches, but I probably will need help in some cases (especially I don't know which component may need access to what).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20160719/ca32a867/attachment.bin>

More information about the Pkg-nagios-devel mailing list