Bug#956711: munin: permissions of /var/log/munin for html/graph_strategy cgi: www-data user should be in groups munin and adm

2020-04-14 Thread devel 
Hello Marcel,

thank you for your bug report!


Am Tue, 14 Apr 2020 16:40:12 +0200
schrieb Marcel Partap :

> By default, debian's munin is not ready for switching html_strategy and
> graph_strategy to cgi because of a lack of access permission for the (apache2)
> www-data user on folders /var/lib/munin/cgi-tmp and /var/log/munin .
> 
> This can be resolved by allowing the respective owner groups write access
> > chmod g+w /var/lib/munin/cgi-tmp /var/log/munin
> [..]
> gpasswd -a www-data munin
> gpasswd -a www-data adm  

are you really sure, that these steps are necessary?

The munin package uses autopkgtests. One of the tested scenarios is the switch
to the CGI-based rendering. The preparations for this step are quite trivial:
* change the strategies to "cgi"
* toggle the enabled line in the apache configuration (as documented there)

(see
https://salsa.debian.org/debian/munin/-/blob/debian/debian/tests/enable_cgi_strategy.inc)

Afterwards it should work. At least the current tests do not fail ...


The permissions should be handled automatically during package installation:

   touch /var/log/munin/munin-cgi-html.log
   chown www-data:adm /var/log/munin/munin-cgi-html.log
   chmod 640 /var/log/munin/munin-cgi-html.log

   touch /var/log/munin/munin-cgi-graph.log
   chown www-data:adm /var/log/munin/munin-cgi-graph.log
   chmod 640 /var/log/munin/munin-cgi-graph.log

   mkdir -p /var/lib/munin/cgi-tmp
   chown munin:www-data /var/lib/munin/cgi-tmp
   chmod 775 /var/lib/munin/cgi-tmp
(see the postinst script)


Maybe you are cleaning up the log directory (e.g. on a read-only system) during
a reboot?
In this case it would indeed fail. I guess, it would be nice for the package to
also work in such situations (e.g. non-permantent /var/log/).

Or do you have another idea, what could be wrong?

Cheers,
Lars

Bug#956711: munin: permissions of /var/log/munin for html/graph_strategy cgi: www-data user should be in groups munin and adm

2020-04-14 Thread Marcel Partap 
Package: munin
Version: 2.0.57-1
Severity: normal

By default, debian's munin is not ready for switching html_strategy and
graph_strategy to cgi because of a lack of access permission for the (apache2)
www-data user on folders /var/lib/munin/cgi-tmp and /var/log/munin .

This can be resolved by allowing the respective owner groups write access
> chmod g+w /var/lib/munin/cgi-tmp /var/log/munin

.. and adding the www-data user to the owning groups for both:
> gpasswd -a www-data munin
> gpasswd -a www-data adm

With this, the cgi strategies work beautifully, including dynazoom.



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (510, 'unstable'), (510, 'testing'), (509, 'experimental'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-1-amd64 (SMP w/12 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_CRAP, TAINT_FIRMWARE_WORKAROUND, 
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), 
LANGUAGE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages munin depends on:
ii  cron [cron-daemon]   3.0pl1-135
ii  debconf [debconf-2.0]1.5.73
ii  fonts-dejavu-core2.37-1
ii  init-system-helpers  1.57
ii  libdate-manip-perl   6.78-1
pn  libdigest-md5-perl   
ii  libfile-copy-recursive-perl  0.44-1
ii  libhtml-template-perl2.97-1
ii  libio-socket-inet6-perl  2.72-2
ii  liblog-log4perl-perl 1.49-1
ii  librrds-perl 1.7.2-3
pn  libstorable-perl 
ii  liburi-perl  1.76-1
ii  lsb-base 11.1.0
ii  munin-common 2.0.57-1
ii  netbase  6.1
ii  perl [libtime-hires-perl]5.30.0-9
ii  rrdtool  1.7.2-3+b1
ii  systemd-sysv 245.4-3

Versions of packages munin recommends:
ii  libcgi-fast-perl  1:2.15-1
ii  munin-doc 2.0.51-1
ii  munin-node2.0.57-1

Versions of packages munin suggests:
ii  apache2 [httpd]  2.4.43-1
ii  chromium [www-browser]   80.0.3987.116-1
ii  elinks [www-browser] 0.13.1-1
ii  falkon [www-browser] 3.1.0+dfsg1-6
ii  firefox [www-browser]74.0-1
ii  konqueror [www-browser]  4:19.08.2-2+b1
ii  libapache2-mod-fcgid 1:2.3.9-4
ii  libnet-ssleay-perl   1.88-1+b1
ii  links2 [www-browser] 2.20.2-1+b1
ii  w3m [www-browser]0.5.3-37+b1

-- Configuration Files:
/etc/cron.d/munin changed:
MAILTO=root
*/5 * * * * munin if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; 
fi
14 10 * * * munin if [ -x /usr/share/munin/munin-limits ]; then 
/usr/share/munin/munin-limits --force --contact nagios --contact old-nagios; fi
27 03 * * * munin htmldir=$({ cat /etc/munin/munin.conf 
/etc/munin/munin-conf.d/* 2>/dev/null || true; } | sed -nE 
's/^\s*htmldir\s+(\S.*)$/\1/p' | tail -1); 
htmldir=${htmldir:-/var/cache/munin/www}; if [ -d "$htmldir" ]; then find 
"$htmldir/" -type f -name "*.html" -mtime +30 -delete; find "$htmldir/" 
-mindepth 1 -type d -empty -delete; fi
32 03 * * * www-data cgitmpdir=$({ cat /etc/munin/munin.conf 
/etc/munin/munin-conf.d/* 2>/dev/null || true; } | sed -nE 
's/^\s*cgitmpdir\s+(\S.*)$/\1/p' | tail -1); 
cgitmpdir=${cgitmpdir:-/var/lib/munin/cgi-tmp}; if [ -d "$cgitmpdir" ]; then 
find "$cgitmpdir/" -type f -mtime +1 -delete; find "$cgitmpdir/" -mindepth 1 
-type d -empty -delete; fi

/etc/munin/apache24.conf changed:
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
Alias /munin/static/ /var/cache/munin/www/static/

Require local
Options None


Require local

SetHandler fcgid-script


SetHandler cgi-script


ScriptAlias /munin /usr/lib/munin/cgi/munin-cgi-html

/etc/munin/munin.conf changed:
includedir /etc/munin/munin-conf.d
graph_strategy cgi
html_strategy cgi
[base]
address 127.0.0.1
use_node_name yes
[spot]
address 192.168.1.1
use_node_name yes


-- debconf-show failed