Package: munin-node Version: 2.0.56-1 Severity: normal File: /usr/sbin/munin-run Tags: upstream
Dear Maintainer, This is a placeholder for the upstream bug, reported at https://github.com/munin-monitoring/munin/issues/1280. The text of the issue follows below. **Describe the bug** Running on Debian Testing (bullseye-ish), recently upgraded to 2.0.56-1. I have a drop-in systemd override to work around [the hardening bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939339) (maybe linked to #1273). This worked fine until 2.0.51-1 (and upgrading to .56 didn't fix it), setting `Protect-Home=read-only`. Now, running plugins through `munin-run` fails with ``` Warning: the execution of 'munin-run' via 'systemd-run' returned an error. This may either be caused by a problem with the plugin to be executed or a failure of the 'systemd-run' wrapper. Details of the latter can be found via 'journalctl ``` **To Reproduce** Steps to reproduce the behavior: 1. Install the drop-in `/etc/systemd/system/munin-node.service.d/protect-home.conf` ``` [Service] # Work around [0] # [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939339 ProtectHome=read-only ``` 2. Use `munin-run` on any plugin ``` sudo -u munin /usr/sbin/munin-run --debug uptime ``` 3. `systemd-run` fails with message `Unknown assignment: DropInPaths=/etc/systemd/system/munin-node.service.d/protect-home.conf` ``` # Running 'munin-run' via 'systemd-run' with systemd properties based on 'munin-node.service'. # Command invocation: systemd-run --collect --pipe --quiet --wait --property EnvironmentFile=/tmp/rBa_tVsxS5 --property UMask=0022 --property LimitCPU=infinity --property LimitFSIZE=infinity --property LimitDATA=infinity --property LimitSTACK=infinity --property LimitCORE=infinity --property LimitRSS=infinity --property LimitNOFILE=524288 --property LimitAS=infinity --property LimitNPROC=7566 --property LimitMEMLOCK=65536 --property LimitLOCKS=infinity --property LimitSIGPENDING=7566 --property LimitMSGQUEUE=819200 --property LimitNICE=0 --property LimitRTPRIO=0 --property LimitRTTIME=infinity --property SecureBits=0 --property 'CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend cap_audit_read' --property AmbientCapabilities= --property DynamicUser=no --property MountFlags= --property PrivateTmp=yes --property PrivateDevices=no --property ProtectKernelTunables=no --property ProtectKernelModules=no --property ProtectKernelLogs=no --property ProtectControlGroups=no --property PrivateNetwork=no --property PrivateUsers=no --property PrivateMounts=no --property ProtectHome=read-only --property ProtectSystem=full --property NoNewPrivileges=no --property LockPersonality=no --property MemoryDenyWriteExecute=no --property RestrictRealtime=no --property RestrictSUIDSGID=no --property RestrictNamespaces=no --property ProtectHostname=no --property DropInPaths=/etc/systemd/system/munin-node.service.d/protect-home.conf -- /usr/sbin/munin-run --ignore-systemd-properties --debug uptime Unknown assignment: DropInPaths=/etc/systemd/system/munin-node.service.d/protect-home.conf Warning: the execution of 'munin-run' via 'systemd-run' returned an error. This may either be caused by a problem with the plugin to be executed or a failure of the 'systemd-run' wrapper. Details of the latter can be found via 'journalctl'. ``` **Expected behavior** The plugin is run without issue. Perhaps the property `DropInPaths` should be excluded around https://github.com/munin-monitoring/munin/blob/debian/2.0.56-1/node/sbin/munin-run#L69 ? **Desktop (please complete the following information):** - OS+Distribution Version: Debian Testing (bullseye) - Munin Version 2.0.56-.1 **Additional context** Drop-in systemd config to work around https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939339 installed at `/etc/systemd/system/munin-node.service.d/protect-home.conf`: ``` [Service] # Work around [0] # [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939339 ProtectHome=read-only ``` -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE= (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF8), LANGUAGE=en_AU:en (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages munin-node depends on: ii init-system-helpers 1.57 ii libnet-server-perl 2.009-1 ii lsb-base 11.1.0 ii munin-common 2.0.56-1 ii munin-plugins-core 2.0.56-1 ii netbase 6.0 ii perl 5.30.0-9 Versions of packages munin-node recommends: ii gawk 1:5.0.1+dfsg-1 ii git 1:2.25.0-1 ii jo 1.1-1+b1 ii jq 1.6-1 ii man-db [man] 2.9.0-2 ii munin-plugins-extra 2.0.56-1 ii perl-doc 5.30.0-9 ii procps 2:3.3.15-2+b1 Versions of packages munin-node suggests: ii munin 2.0.56-1 pn munin-plugins-java <none> -- Configuration Files: /etc/munin/plugin-conf.d/README [Errno 13] Permission denied: '/etc/munin/plugin-conf.d/README' /etc/munin/plugin-conf.d/munin-node [Errno 13] Permission denied: '/etc/munin/plugin-conf.d/munin-node' -- no debconf information