Hey again. Perhaps some clarification on this from my side :-)
On Tue, 2016-07-19 at 01:06 +0200, Christoph Anton Mitterer wrote: > I can't expect you'd change this to: > ExecStartPre=/usr/lib/icinga2/prepare-dirs /etc/default/icinga2 > ? I could for not live with the above, if it was implemented, which gives people with other PHP SAPIs a way to change the permissions (along with dpkg-statoverride. I can also fully understand, that you don't want to allow people to change the user/group Icinga/Nagios itself runs under (i.e. nagios). I though in good faith, that the alternative with the group-model (like the icingaweb2 group does it), would be rather simple to adapt throughout the Nagios/Icinga[1|2]/Icinga-Web[1|2]/Icinga-Classic-Web packages, but maybe I'm just wrong or we didn't understand each other when talking about it. So let me try to explain it a bit more practically: Let's take the command socket as example: From the providing package's side: - icinga2-common.postinst would create e.g. "icinga2_extcmd" - icinga2-common.postre would remove icinga2_extcmd on purge - the places that current set www-data for the external command socket would then use icinga2_extcmd. These are AFAICS: - /usr/lib/icinga2/icinga2 would instead use ICINGA2_COMMAND_GROUP=icinga2_extcmd - /etc/init.d/icinga2 would instead use DAEMON_CMDGROUP=icinga2_extcmd - optionally, debian/rules would instead use -DICINGA2_COMMAND_GROUP=icinga2_extcmd From the using package's side: Simply, all packages that may make use of the command socket, add their group to the icinga2_extcmd, once on installation. - So if you want to have everything running out-of-the-box with mod_php, we could simply do an adduser www-data icinga2_extcmd in e.g. Icinga Web[1|2] and Icinga Web Classic. AFAIU, things would continue to run out of the box. - We could further add some docs to README.Debian, telling why this is done and that people can replace it in case they use a different PHP- user (or even several). - Optionally, one could even do one step more: Each package like Icinga Web Classic, that adds www-data per default to the group, increases a counter stored somewhere in /var/lib/icinga. On package purges, the counter is decreased again, and if it reaches 0, www-data could be removed from the group. Okay that's quite some text, but I think the underlying idea and actual code is rather simple. And the same one would need to do for other such "shared" resources, e.g. /var/cache/icinga2, just with a different user, e.g. "icinga2_cache". And of course if only Icinga Classic Web needs /var/cache/icinga2, only that would automatically add www-data to it. :-) AFAICS this would need to be done for: /var/cache/icinga2 /var/log/icinga2 /run/icinga2/cmd /run/icinga2 (maybe this doesn't even need www-data?) So would be three cases for Icinga 2: icinga2_extcmd icinga2_cache icinga2_log In case the above examples would change your opinion on the matter, I could of course again try to start with some patches, but I probably will need help in some cases (especially I don't know which component may need access to what). Best, Chris.
smime.p7s
Description: S/MIME cryptographic signature
