Bug#951095: marked as done (/usr/sbin/munin-run: munin-run: issue with `--property DropInPaths=...`)

Sat, 14 Mar 2020 11:21:51 -0700 

Your message dated Sat, 14 Mar 2020 18:19:43 +0000
with message-id <[email protected]>
and subject line Bug#951095: fixed in munin 2.0.57-1
has caused the Debian Bug report #951095,
regarding /usr/sbin/munin-run: munin-run: issue with `--property 
DropInPaths=...`
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
951095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951095
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: munin-node
Version: 2.0.56-1
Severity: normal
File: /usr/sbin/munin-run
Tags: upstream

Dear Maintainer,

This is a placeholder for the upstream bug, reported at 
https://github.com/munin-monitoring/munin/issues/1280.
The text of the issue follows below.

        **Describe the bug**
        Running on Debian Testing (bullseye-ish), recently upgraded to 2.0.56-1.

        I have a drop-in systemd override to work around [the hardening 
bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939339) (maybe linked to 
#1273). This worked fine until 2.0.51-1 (and upgrading to .56 didn't fix it), 
setting `Protect-Home=read-only`.

        Now, running plugins through `munin-run` fails with 
        ```
        Warning: the execution of 'munin-run' via 'systemd-run' returned an 
error. This may either be caused by a problem with the plugin to be executed or 
a failure of the 'systemd-run' wrapper. Details of the latter can be found via 
'journalctl
        ```

        **To Reproduce**
        Steps to reproduce the behavior:
        1. Install the drop-in 
`/etc/systemd/system/munin-node.service.d/protect-home.conf`
        ```
        [Service]
        # Work around [0]
        # [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939339
        ProtectHome=read-only
        ```
        2. Use `munin-run` on any plugin
        ```
        sudo -u munin  /usr/sbin/munin-run --debug uptime
        ```
        3. `systemd-run` fails with message `Unknown assignment: 
DropInPaths=/etc/systemd/system/munin-node.service.d/protect-home.conf`
        ```
        # Running 'munin-run' via 'systemd-run' with systemd properties based 
on 'munin-node.service'.
        # Command invocation: systemd-run --collect --pipe --quiet --wait 
--property EnvironmentFile=/tmp/rBa_tVsxS5 --property UMask=0022 --property 
LimitCPU=infinity --property LimitFSIZE=infinity --property LimitDATA=infinity 
--property LimitSTACK=infinity --property LimitCORE=infinity --property 
LimitRSS=infinity --property LimitNOFILE=524288 --property LimitAS=infinity 
--property LimitNPROC=7566 --property LimitMEMLOCK=65536 --property 
LimitLOCKS=infinity --property LimitSIGPENDING=7566 --property 
LimitMSGQUEUE=819200 --property LimitNICE=0 --property LimitRTPRIO=0 --property 
LimitRTTIME=infinity --property SecureBits=0 --property 
'CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search 
cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap 
cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin 
cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio 
cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot 
cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod 
cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override 
cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend cap_audit_read' 
--property AmbientCapabilities= --property DynamicUser=no --property 
MountFlags= --property PrivateTmp=yes --property PrivateDevices=no --property 
ProtectKernelTunables=no --property ProtectKernelModules=no --property 
ProtectKernelLogs=no --property ProtectControlGroups=no --property 
PrivateNetwork=no --property PrivateUsers=no --property PrivateMounts=no 
--property ProtectHome=read-only --property ProtectSystem=full --property 
NoNewPrivileges=no --property LockPersonality=no --property 
MemoryDenyWriteExecute=no --property RestrictRealtime=no --property 
RestrictSUIDSGID=no --property RestrictNamespaces=no --property 
ProtectHostname=no --property 
DropInPaths=/etc/systemd/system/munin-node.service.d/protect-home.conf -- 
/usr/sbin/munin-run --ignore-systemd-properties --debug uptime
        Unknown assignment: 
DropInPaths=/etc/systemd/system/munin-node.service.d/protect-home.conf
        Warning: the execution of 'munin-run' via 'systemd-run' returned an 
error. This may either be caused by a problem with the plugin to be executed or 
a failure of the 'systemd-run' wrapper. Details of the latter can be found via 
'journalctl'.
        ```

        **Expected behavior**
        The plugin is run without issue. Perhaps the property `DropInPaths` 
should be excluded around 
https://github.com/munin-monitoring/munin/blob/debian/2.0.56-1/node/sbin/munin-run#L69
 ?

        **Desktop (please complete the following information):**
         - OS+Distribution Version: Debian Testing (bullseye)
         - Munin Version 2.0.56-.1

        **Additional context**
        Drop-in systemd config to work around 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939339 installed at 
`/etc/systemd/system/munin-node.service.d/protect-home.conf`:
        ```
        [Service]
        # Work around [0]
        # [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939339
        ProtectHome=read-only
        ```


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.3.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE= (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF8), 
LANGUAGE=en_AU:en (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages munin-node depends on:
ii  init-system-helpers  1.57
ii  libnet-server-perl   2.009-1
ii  lsb-base             11.1.0
ii  munin-common         2.0.56-1
ii  munin-plugins-core   2.0.56-1
ii  netbase              6.0
ii  perl                 5.30.0-9

Versions of packages munin-node recommends:
ii  gawk                 1:5.0.1+dfsg-1
ii  git                  1:2.25.0-1
ii  jo                   1.1-1+b1
ii  jq                   1.6-1
ii  man-db [man]         2.9.0-2
ii  munin-plugins-extra  2.0.56-1
ii  perl-doc             5.30.0-9
ii  procps               2:3.3.15-2+b1

Versions of packages munin-node suggests:
ii  munin               2.0.56-1
pn  munin-plugins-java  <none>

-- Configuration Files:
/etc/munin/plugin-conf.d/README [Errno 13] Permission denied: 
'/etc/munin/plugin-conf.d/README'
/etc/munin/plugin-conf.d/munin-node [Errno 13] Permission denied: 
'/etc/munin/plugin-conf.d/munin-node'

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: munin
Source-Version: 2.0.57-1
Done: Holger Levsen <[email protected]>

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Mar 2020 18:59:29 +0100
Source: munin
Architecture: source
Version: 2.0.57-1
Distribution: unstable
Urgency: medium
Maintainer: Munin Debian Maintainers <[email protected]>
Changed-By: Holger Levsen <[email protected]>
Closes: 949887 949889 951095
Changes:
 munin (2.0.57-1) unstable; urgency=medium
 .
   [ Lars Kruse ]
   * New upstream release, 2.0.57, fixing the following issue:
     - munin-run: ignore DropInPaths property (Closes: #951095)
   * munin-node sysvinit: simplify detection of "pid_file" location
   * munin-node sysvinit: remove check for root user
   * munin-node sysvinit: separate code for start preparation
   * sysvinit for munin/munin-async/munin-node: use "init-d-system"
     instead of "init-functions"
   * sysvinit/systemd for munin-async/munin-node: wait for "sd_notify"
     signal
   * munin sysvinit: reduce dependencies and suggest to start before cron
     (otherwise cron could execute "munin-update" before /run/munin/ is ready)
   * d/tests: use unique names for tests with systemd and sysvinit.
     (thanks, Michael Biebl, Closes: #949889)
   * d/tests: enable test "node-sysv" again
   * d/tests (sysvinit): wait for all init scripts to be finished before
     starting any tests (Closes: #949887)
Checksums-Sha1:
 b8a4a20ff48dbf92a91ef1b27a0fdf95b56b5d5a 3138 munin_2.0.57-1.dsc
 37d97642abc936ebc760a2df4c12c132bd06767e 2266092 munin_2.0.57.orig.tar.gz
 e0922c50535aed428de9c54fa1e3bcc894239fb8 833 munin_2.0.57.orig.tar.gz.asc
 5f0b56520500680f28f1ebe6392d4c392dff483d 64132 munin_2.0.57-1.debian.tar.xz
 f098bffbf8f190b63cc57b13a69d0e0a65c7918e 5517 munin_2.0.57-1_source.buildinfo
Checksums-Sha256:
 fc013d38f1b4b63cf439c9701c8b51f8b2e2b168306334921c0b87829bc8107c 3138 
munin_2.0.57-1.dsc
 b51ca4fd73c3ceb232c17ef4d8ba96ae2d39482df6532109ae2baaf2da0eb297 2266092 
munin_2.0.57.orig.tar.gz
 1efdf8a9875b6df4af6992674c9433d1111ac62ca4564d4a739d42d36814516e 833 
munin_2.0.57.orig.tar.gz.asc
 7f62ab173b5ab94a71e4ee9488dab6a8ca8c6625243c35361c3973d8ea7bd229 64132 
munin_2.0.57-1.debian.tar.xz
 f3c9e037dcdd9b2bbcb10820559ca52f77f2f402543fd7f86aae1f27dde721ee 5517 
munin_2.0.57-1_source.buildinfo
Files:
 81bd6c6467a89c9c6c583afb1c6131c5 3138 net optional munin_2.0.57-1.dsc
 f68ee169b22b32e0d58f9905030fe641 2266092 net optional munin_2.0.57.orig.tar.gz
 c2c436e9aea23962b7be7888a20c1965 833 net optional munin_2.0.57.orig.tar.gz.asc
 34440fa25c7fc81c5d2a0e12769a6139 64132 net optional 
munin_2.0.57-1.debian.tar.xz
 25dcd38d5594b8968db020c677aec16f 5517 net optional 
munin_2.0.57-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl5tG+oACgkQCRq4Vgaa
qhwE6w/8DeLy8IkqUT+ypYEc/s6sMJCrC2kAuceq+2uAsOvpAgBqA79GqY/8MgmR
F/N6veHdHjvZ3sio6m6i6UX4LsJyyfNG4dWBoacGgOtQGrOIWZ6/tqsmDZNhHb9L
Icfghk9kIxM1xISH4Y26INzMNK2hW9/LfVmf2ka69l/FbFRyW0LtizJFn8u3u3Eu
J9o3OYQQhdsd7p8Tx/WEZS3y0syc7VtMXErl4GHrBPTHTfCun/y9SEzyZgnCg01x
VqD0ymJqMpR8RGdkITAbgM0jX3Xyk4yMCsza2iLEdgF5LoXNMWenRzoKsOVsIbr1
XvzJb3hy3BsD3jbTQ04XaidbjS2Ecm21MflVbZV3vK7YjXx28gyzNgqSZsJr59g9
aV4fKwWp84lwNi4WFt2WWogMYM9jxlDp9xBXYiRY70WTHKbe2gcRzaj9609rm9JU
IgdABqcpGLsJ/OCV2huqv3s19tSoGqCORDTcZH5r3qSv/6+MkWROZ7s4dM3E48yF
M6yG/U78ktzb2Ek1mJ2p9SBmy7pxIAlte/kfBjT+0qhERNDiUUTb92sAp7e/Zl3W
WMQlB5A3Jsy+9A9rast0YogD9mb4lqgG6hz6RI/IePJlmDuR7PtTt8jdnPVFb6wT
Lwhz+MbfwLJJAQXWkoWgDvyxV5fsBooZZhqNWO1m2krEPVJy09o=
=2VtN
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to