On 22.05.2016 00:25, Iustin Pop wrote:
>> ,----
>> | chown smokeping:smokeping /var/lib/smokeping
>> | chown smokeping:smokeping /etc/smokeping/smokeping_secrets
>> | chmod 640 /etc/smokeping/smokeping_secrets
>> `----
>>
>> This unconditionally destroys any custom permissions the admin may have
>> set. Overwriting the permissions for /etc/smokeping/smokeping_secrets is
>> especially desastrous because this file needs to be read by the www-data
>> user (or group) to allow slaves to connect correctly.
>>
>> Right now the only option is to use POSIX-ACLs to allow www-data to read
>> that file because if you just use "chgrp www-data" this change will get
>> overwritten the next time the package is updated.
>
> Since there's no mechanism (AFAIK) for automatically handling custom
> permissions for conffiles, and both the admin and the package fight over
> this, the first solution that comes to mind is to add debconf questions
> for owner and mode, and always use debconf/the package to manage the
> permissions. This would solve both problems (conflicts and custom
> permissions).
>
> A simpler alternative but not that flexible would be to add only one
> question ("support slaves"), which would different, but still hard-coded
> permissions.In https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760945#12 I corrected my statement concerning the direcory /var/lib/smokeping, but the wrong permissions for /etc/smokeping/smokeping_secrets remain. Since this file is only ever needed on the server side (and unused if you don't have slaves), you can (AFAICS) unconditionally ust set the ownership to smokeping:www-data and set 640 as permissions and be done, no need to ask anything. The slave itself uses /etc/smokeping/slave-secrets as source for the password, smokeping:root and 640 are correct there and can stay that way. Grüße, Sven.
signature.asc
Description: OpenPGP digital signature
