Hi Holger, thanks for the prompt reply.
I understand the security benefits this presents in combination with ProtectSystem=full. However, a separate /home is a common configuration and this problem can easily be overlooked and is then not trivial to find, because there are no error messages anywhere, there is just this odd difference in reality between munin-node as a daemon and everything else the sysadmin does manually on the CLI. I think to make this less awkward two things would be nice: - a option to allow monitoring of /home without editing a non-conffile in /lib (How is this even done properly? I just edited the service file to find the cause of my problem, but I suppose it will be overwritten on every update. Is there a nice way to do this?) - a way to alert the admin of the possibly unintended configuration: df-plugin activated + ProtectHome + Separate /home Can the df* plugin itself detect the situation and then make a log entry? That would have severely cut down the time it took me to find this. Cheers Marc On Mon, 11 Feb 2019 at 11:45, Holger Levsen <hol...@layer-acht.org> wrote: > Hi Marc, > > On Mon, Feb 11, 2019 at 01:09:37AM +0100, Lars Kruse wrote: > > > # Plugins like "df" require access to /home if that is a separate > filesystem > > > ProtectHome=false > > See the other bug report for this issue: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918851 > > We are discussing whether there is good way to work around this. > > IMO this is a good default. If you want to monitor /home (and accept the > risk that munin-node (and all its plugins) can access /home, you can > modify the service file locally and get what you want. > > Suggestions where&how to document this better welcome! > > > -- > tschau, > Holger > > > ------------------------------------------------------------------------------- > holger@(debian|reproducible-builds|layer-acht).org > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C > -- Marc A. Donges Kaiserallee 50 76185 Karlsruhe ☎ +49 177 59 666 43 • marc.don...@gmail.com
