On 22.05.2016 00:25, Iustin Pop wrote: >> ,---- >> | chown smokeping:smokeping /var/lib/smokeping >> | chown smokeping:smokeping /etc/smokeping/smokeping_secrets >> | chmod 640 /etc/smokeping/smokeping_secrets >> `---- >> >> This unconditionally destroys any custom permissions the admin may have >> set. Overwriting the permissions for /etc/smokeping/smokeping_secrets is >> especially desastrous because this file needs to be read by the www-data >> user (or group) to allow slaves to connect correctly. >> >> Right now the only option is to use POSIX-ACLs to allow www-data to read >> that file because if you just use "chgrp www-data" this change will get >> overwritten the next time the package is updated. > > Since there's no mechanism (AFAIK) for automatically handling custom > permissions for conffiles, and both the admin and the package fight over > this, the first solution that comes to mind is to add debconf questions > for owner and mode, and always use debconf/the package to manage the > permissions. This would solve both problems (conflicts and custom > permissions). > > A simpler alternative but not that flexible would be to add only one > question ("support slaves"), which would different, but still hard-coded > permissions.
In https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760945#12 I corrected my statement concerning the direcory /var/lib/smokeping, but the wrong permissions for /etc/smokeping/smokeping_secrets remain. Since this file is only ever needed on the server side (and unused if you don't have slaves), you can (AFAICS) unconditionally ust set the ownership to smokeping:www-data and set 640 as permissions and be done, no need to ask anything. The slave itself uses /etc/smokeping/slave-secrets as source for the password, smokeping:root and 640 are correct there and can stay that way. Grüße, Sven.
signature.asc
Description: OpenPGP digital signature