Hi Lars, On Mon, 18 Feb 2019 at 00:06, Lars Kruse <de...@sumpfralle.de> wrote:
> By accident I stumbled upon "systemctl edit munin-node". > This will open up an empty editor. Here you can add the following: > > [Service] > ProtectHome = read-only > > This will create a file > /etc/systemd/system/munin-node.service.d/override.conf > with the above content and in turn override the settings of the system-wide > service file. > Ah, that's nice and clean. If ProtectHome=yes is kept I guess that hint in a README or NOTICE would help. I took a quick look at it. > Here the plugin within the environment simply does not notice that /home is > not accessible: it will simply be missing in the output by "df -h". Thus we > cannot emit a warning in this case. > Or does someone have an idea how to identify such an issue? > (and how we should report it) > > > Given that the "ProtectHome" setting allows the "read-only" value, I > propose > that we should pick this one instead of "yes". > > I think, we are mainly trying to protect the user from badly written > plugins > that mess up something with their cleanup procedure and accidentally erase > relevant files. "read-only" would prevent this problem. > The different problem of munin plugins spying on users on purpose would > indeed > justify "yes". But I tend to think, that everything is lost anyway, if a > user > runs random malicious code on his host. > > What do you think? > I am not familiar with the attack scenario that led to the config change, however, if I understand the settings correctly, then the combination of ProtectHome=true and ProtectSystem=full is a strong protection against using a hypothetical security vulnerability to take over the machine or exfiltrate any personal data, although munin runs as root, which is pretty nice benefit. So although I would change this on machines I run, simply because I need to know when /home is almost full, I understand that a default install would not allow that. I don't think a scenario of "evil plugins" is relevant, a sysadmin just should not use questionable software. Kind regards Marc -- Marc A. Donges Kaiserallee 50 76185 Karlsruhe ☎ +49 177 59 666 43 • marc.don...@gmail.com
