Alan McKinnon <[email protected]> wrote: > On 07/10/2015 18:27, Grant wrote: >> I have to chown munin:nginx and chmod g+x on directory /run/munin/ >> after every reboot. The munin list suggests altering the initscript >> but is there a better way? > > There are ways, but I wouldn't call them better.
The way to do it nowadays would be by placing a file with the content d /run/munin 0775 munin nginx into /usr/lib/tmpfiles.d (if done by the distribution) or into /etc/tmpfiles.d (if this is only needed for your special setup). > /run is often a tmpfs so the dir has to be mkdir'ed somehow after reboot > anyway. The initscript is the perfect place to do it. No, it is not the perfect place, because such a thing would be strange to do if e.g. the initscript is restarted or started only very late for some reasons (possibly hours after the system start, if munin is not needed immediately.) (OK, in /run it is not a security risk, but in world-writable directories there exist symlink attacks or other bad things if you create dirs/files too late and with a predictable name. For dirs, it might be possible if you are *very* careful, but the obvious "mkdir ...; chown ...; chmod ..." would be a horrible security failure.) Moreover, it is an init-system specific solution while you can have a general solution. Meanwhile, at least openrc and systemd both support the tmpfiles.d subdirectories; I do not know the state of other init-systems, but it is not hard to extend any init-system of your choice to support these directories. In any case, they are more compatible than a solution which works with only *one* init-system.
