[Pkg-nagios-devel] Bug#831745: Bug#831745: icinga2: file/directory permission issues
Christoph Anton Mitterer
calestyo at scientia.net
Tue Jul 19 14:08:59 UTC 2016
Hey again.
Perhaps some clarification on this from my side :-)
On Tue, 2016-07-19 at 01:06 +0200, Christoph Anton Mitterer wrote:
> I can't expect you'd change this to:
> ExecStartPre=/usr/lib/icinga2/prepare-dirs /etc/default/icinga2
> ?
I could for not live with the above, if it was implemented, which gives
people with other PHP SAPIs a way to change the permissions (along with
dpkg-statoverride.
I can also fully understand, that you don't want to allow people to
change the user/group Icinga/Nagios itself runs under (i.e. nagios).
I though in good faith, that the alternative with the group-model (like
the icingaweb2 group does it), would be rather simple to adapt
throughout the Nagios/Icinga[1|2]/Icinga-Web[1|2]/Icinga-Classic-Web
packages, but maybe I'm just wrong or we didn't understand each other
when talking about it.
So let me try to explain it a bit more practically:
Let's take the command socket as example:
From the providing package's side:
- icinga2-common.postinst would create e.g. "icinga2_extcmd"
- icinga2-common.postre would remove icinga2_extcmd on purge
- the places that current set www-data for the external command socket
would then use icinga2_extcmd. These are AFAICS:
- /usr/lib/icinga2/icinga2 would instead use ICINGA2_COMMAND_GROUP=icinga2_extcmd
- /etc/init.d/icinga2 would instead use DAEMON_CMDGROUP=icinga2_extcmd
- optionally, debian/rules would instead use -DICINGA2_COMMAND_GROUP=icinga2_extcmd
From the using package's side:
Simply, all packages that may make use of the command socket, add their
group to the icinga2_extcmd, once on installation.
- So if you want to have everything running out-of-the-box with
mod_php, we could simply do an adduser www-data icinga2_extcmd in
e.g. Icinga Web[1|2] and Icinga Web Classic.
AFAIU, things would continue to run out of the box.
- We could further add some docs to README.Debian, telling why this is
done and that people can replace it in case they use a different PHP-
user (or even several).
- Optionally, one could even do one step more: Each package like Icinga
Web Classic, that adds www-data per default to the group, increases
a counter stored somewhere in /var/lib/icinga.
On package purges, the counter is decreased again, and if it reaches
0, www-data could be removed from the group.
Okay that's quite some text, but I think the underlying idea and actual
code is rather simple.
And the same one would need to do for other such "shared" resources,
e.g. /var/cache/icinga2, just with a different user, e.g.
"icinga2_cache".
And of course if only Icinga Classic Web needs /var/cache/icinga2, only
that would automatically add www-data to it. :-)
AFAICS this would need to be done for:
/var/cache/icinga2
/var/log/icinga2
/run/icinga2/cmd
/run/icinga2 (maybe this doesn't even need www-data?)
So would be three cases for Icinga 2:
icinga2_extcmd
icinga2_cache
icinga2_log
In case the above examples would change your opinion on the matter, I could of course again try to start with some patches, but I probably will need help in some cases (especially I don't know which component may need access to what).
Best,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20160719/ca32a867/attachment.bin>
More information about the Pkg-nagios-devel
mailing list