>>> I have to chown munin:nginx and chmod g+x on directory /run/munin/ >>> after every reboot. The munin list suggests altering the initscript >>> but is there a better way? >> >> There are ways, but I wouldn't call them better. > > The way to do it nowadays would be by placing a file with the content > d /run/munin 0775 munin nginx > into /usr/lib/tmpfiles.d (if done by the distribution) or into > /etc/tmpfiles.d (if this is only needed for your special setup).
Will do. Is that leading "d " supposed to be there? Am I creating and editing /etc/tmpfiles.d or /etc/tmpfiles.d/anyfilename ? - Grant >> /run is often a tmpfs so the dir has to be mkdir'ed somehow after reboot >> anyway. The initscript is the perfect place to do it. > > No, it is not the perfect place, because such a thing would > be strange to do if e.g. the initscript is restarted or > started only very late for some reasons (possibly hours > after the system start, if munin is not needed immediately.) > (OK, in /run it is not a security risk, but in world-writable > directories there exist symlink attacks or other bad things > if you create dirs/files too late and with a predictable name. > For dirs, it might be possible if you are *very* careful, > but the obvious "mkdir ...; chown ...; chmod ..." would be a > horrible security failure.) > > Moreover, it is an init-system specific solution > while you can have a general solution. > Meanwhile, at least openrc and systemd both support the > tmpfiles.d subdirectories; I do not know the state of > other init-systems, but it is not hard to extend any > init-system of your choice to support these directories. > In any case, they are more compatible than a solution > which works with only *one* init-system.
