<de...@sumpfralle.de> writes: > yes, there were also a few issues raised and a few questions asked via IRC. > The difference between executing "munin-run" and deploying the plugin in a > real > environment can be an annoying source of confusion. > But the hardening directives can be of really good use, since they prevent > misbehaving or insecure plugins from causing damage. > > Thus I am not sure, how we should proceed. > > At the moment I see the following options: > A) make these hardening flags configurable via debconf during > installation/upgrade > (I would need to investigate, how systemd units can be configured properly) > B) disable hardening flags and mention their activation in README.Debian > C) keep the hardening flags and somehow allow "munin-run" to use the same set > of hardening flags, that the munin-node service uses. > (or something along these lines - it feels really complicated) > > Any other opinions?
The hardening options in systemd have boolean as well as other values special for each setting. The ProtectHome= systemd unit parameter also takes "read-only", which _should_ allow monitoring to check filesystem usage. See man:systemd.exec(5). Since the job of munin-node is to do filesystem monitoring as default, and the /home filesystem is often useful to monitor, I'd suggest "read-only" as a new value for ProtectHome= in munin-node.service. If it works. :) (I'm probably responsible for the current value of ProtectHome= in munin-node.service, to be honest.) -- Stig Sandbeck Mathisen Trust the Computer, the Computer is your Friend
