Accepting request 1291418 from server:monitoring

Let munin-node use its own log and run sub-directory to avoid privilege escalation (boo#1246089) OBS-URL: https://build.opensuse.org/request/show/1291418 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/munin?expand=0&rev=39
2025-07-09 15:26:32 +00:00
parent 6939d301f8 399785616b
commit 5480444b8f
5 changed files with 19 additions and 7 deletions
--- a/munin-node.logrotate
+++ b/munin-node.logrotate
@@ -1,4 +1,4 @@
-/var/log/munin/munin-node.log {
+/var/log/munin-node/munin-node.log {
 	daily
 	missingok
 	rotate 7
--- a/munin-node.service
+++ b/munin-node.service
@@ -15,8 +15,8 @@ ProtectControlGroups=true
 # end of automatic additions 
 Type=forking
 ExecStart=/usr/sbin/munin-node
-ExecStartPre=/usr/bin/mkdir -p /var/run/munin/
-PIDFile=/var/run/munin/munin-node.pid
+ExecStartPre=/usr/bin/mkdir -p /var/run/munin-node/
+PIDFile=/var/run/munin-node/munin-node.pid

 [Install]
 WantedBy=multi-user.target
--- a/munin-node.tmpfiles
+++ b/munin-node.tmpfiles
@@ -1 +1,2 @@
 d /run/munin 0755 munin munin - -
+d /run/munin-node 0755 root root - -
--- a/munin.changes
+++ b/munin.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jul  8 13:03:35 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.de>
+
+- Let munin-node use its own log and run sub-directory
+  to avoid privilege escalation (boo#1246089)
+
 -------------------------------------------------------------------
 Tue Jun 17 11:42:04 UTC 2025 - Lubos Kocman <lubos.kocman@suse.com>

--- a/munin.spec
+++ b/munin.spec
@@ -193,7 +193,7 @@ unzip %{SOURCE13}
 %__install -m0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/cron.d/munin
 %endif

-%__mkdir_p %{buildroot}/%{logdir}
+%__mkdir_p %{buildroot}/%{logdir} %{buildroot}/%{logdir}-node
 %__mkdir_p %{buildroot}/%{htmldir}
 %__mkdir_p %{buildroot}/%{dbdir}
 %__mkdir_p %{buildroot}/%{dbdir}/plugin-state
@@ -208,6 +208,11 @@ ln munin-gsa-master/README.md README.gsa
 %python3_fix_shebang_path %{buildroot}/%{plugindir}/*
 %endif

+# for boo#1246089
+sed -i 's,/var/log/munin/,/var/log/munin-node/,;
+        s,/var/run/munin/,/var/run/munin-node/,' \
+        %{buildroot}/etc/munin/munin-node.conf
+
 # Fix rpmlint warning: This script uses 'env' as an interpreter.
 for F in \
 	%{buildroot}/%{_prefix}/lib/munin/plugins/ipmi_sensor_ \
@@ -452,11 +457,11 @@ fi
 %{_mandir}/man3/Munin::Plugin.3pm.gz
 %{_mandir}/man3/Munin::Plugin::Pgsql.3pm.gz
 %{_mandir}/man3/Munin::Plugin::SNMP.3pm.gz
-%attr(0750, munin, munin) %dir %{logdir}
 %attr(0755, munin, munin) %dir %{dbdir}
 %attr(0775, nobody, nobody) %dir %{dbdir}/plugin-state
-%ghost %{logdir}/munin-node.log
-%ghost /run/munin
+%attr(0750, root, root) %dir %{logdir}-node
+%ghost %{logdir}-node/munin-node.log
+%ghost /run/munin-node
 %dir %{_prefix}/lib/firewalld
 %dir %{_prefix}/lib/firewalld/services
 %{_prefix}/lib/firewalld/services/munin-node.xml