From e7baac2a2496d9666b468e6b837be039a5ef1651 Mon Sep 17 00:00:00 2001 From: BlackEagle Date: Thu, 8 Jan 2026 14:54:48 +0100 Subject: [PATCH] run snclient as snclient user in systemd based distros See: https://github.com/ConSol-Monitoring/snclient/discussions/272 Signed-off-by: BlackEagle --- Makefile | 11 +++++++++++ packaging/debian/conffiles | 1 + packaging/debian/control | 2 +- packaging/debian/postinst | 6 ++++++ packaging/snclient.service | 6 +++--- packaging/snclient.spec | 20 +++++++++++++++++++- packaging/snclient.sudoers | 1 + packaging/snclient.sysusers | 2 ++ packaging/snclient.tmpfiles | 7 +++++++ 9 files changed, 51 insertions(+), 5 deletions(-) create mode 100644 packaging/snclient.sudoers create mode 100644 packaging/snclient.sysusers create mode 100644 packaging/snclient.tmpfiles diff --git a/Makefile b/Makefile index d6ea721f..1d3100c3 100644 --- a/Makefile +++ b/Makefile @@ -449,6 +449,9 @@ deb: | dist build-deb/usr/lib/snclient \ build-deb/usr/bin \ build-deb/lib/systemd/system \ + build-deb/lib/sysusers.d \ + build-deb/lib/tmpfiles.d \ + build-deb/etc/sudoers.d \ build-deb/etc/logrotate.d \ build-deb/usr/share/doc/snclient \ build-deb/usr/share/doc/snclient \ @@ -467,6 +470,9 @@ deb: | dist cp ./dist/snclient.ini ./dist/server.crt ./dist/server.key ./dist/cacert.pem ./build-deb/etc/snclient cp -p ./dist/snclient build-deb/usr/bin/snclient cp ./packaging/snclient.service build-deb/lib/systemd/system/ + cp ./packaging/snclient.sysusers build-deb/lib/sysusers.d/snclient.conf + cp ./packaging/snclient.tmpfiles build-deb/lib/tmpfiles.d/snclient.conf + cp ./packaging/snclient.sudoers build-deb/etc/sudoers.d/snclient cp ./packaging/snclient.logrotate build-deb/etc/logrotate.d/snclient cp Changes build-deb/usr/share/doc/snclient/Changes dch --empty --create --newversion "$(VERSION)" --package "snclient" -D "UNRELEASED" --urgency "low" -c build-deb/usr/share/doc/snclient/changelog "new upstream release" @@ -484,6 +490,8 @@ deb: | dist chmod 755 \ build-deb/usr/bin/snclient \ build-deb/usr/lib/snclient/node_exporter + chmod 0750 build-deb/etc/sudoers.d + chmod 0440 build-deb/etc/sudoers.d/snclient cp -p dist/snclient.1 build-deb/usr/share/man/man1/snclient.1 gzip -n -9 build-deb/usr/share/man/man1/snclient.1 @@ -497,6 +505,9 @@ deb: | dist rpm: | dist rm -rf snclient-$(VERSION) cp ./packaging/snclient.service dist/ + cp ./packaging/snclient.sysusers dist/ + cp ./packaging/snclient.tmpfiles dist/ + cp ./packaging/snclient.sudoers dist/ cp ./packaging/snclient.spec dist/ sed -i dist/snclient.spec -e 's|^Version: .*|Version: $(VERSION)|' sed -i dist/snclient.spec -e 's|^BuildArch: .*|BuildArch: $(RPM_ARCH)|' diff --git a/packaging/debian/conffiles b/packaging/debian/conffiles index 781968b5..79cc1ff5 100644 --- a/packaging/debian/conffiles +++ b/packaging/debian/conffiles @@ -3,3 +3,4 @@ /etc/snclient/server.key /etc/snclient/cacert.pem /etc/logrotate.d/snclient +/etc/sudoers.d/snclient diff --git a/packaging/debian/control b/packaging/debian/control index 872f4eb5..390a8f0a 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -3,7 +3,7 @@ Version: UNSET Section: net Priority: optional Architecture: UNSET -Depends: logrotate +Depends: logrotate, systemd Standards-Version: 3.9.8 Suggests: monitoring-plugins-basic Maintainer: Sven Nierlein diff --git a/packaging/debian/postinst b/packaging/debian/postinst index f8b18607..9ff60fd6 100755 --- a/packaging/debian/postinst +++ b/packaging/debian/postinst @@ -13,6 +13,12 @@ case "$1" in /etc/snclient/server.crt \ /etc/snclient/cacert.pem \ || : + if [ -x "/usr/bin/systemd-sysusers" ]; then + systemd-sysusers + fi + if [ -x "/usr/bin/systemd-tmpfiles" ]; then + systemd-tmpfiles --create + fi if [ -x "/usr/bin/deb-systemd-helper" ]; then deb-systemd-helper unmask snclient.service if deb-systemd-helper --quiet was-enabled snclient.service; then diff --git a/packaging/snclient.service b/packaging/snclient.service index c8e8b51b..0d20f8cf 100644 --- a/packaging/snclient.service +++ b/packaging/snclient.service @@ -4,14 +4,14 @@ After=network.target [Service] Type=simple -User=root +User=snclient +Group=snclient Restart=on-failure RestartSec=10 -WorkingDirectory=/ +WorkingDirectory=/var/lib/snclient ExecStart=/usr/bin/snclient --config=/etc/snclient/snclient.ini -ExecStartPre=/bin/mkdir -p /var/log/snclient ExecReload=/bin/kill -HUP $MAINPID [Install] diff --git a/packaging/snclient.spec b/packaging/snclient.spec index eff1a782..1ec5c47c 100644 --- a/packaging/snclient.spec +++ b/packaging/snclient.spec @@ -8,7 +8,7 @@ URL: https://github.com/Consol-Monitoring/snclient/ Source0: snclient-%{version}.tar.gz Group: Applications/System Summary: Monitoring Agent -Requires: logrotate +Requires: logrotate, systemd %description SNClient (Secure Naemon Client) is a general purpose monitoring agent designed @@ -41,6 +41,15 @@ It supports Prometheus, NRPE and a REST API HTTP(s) protocol to run checks. %{__mkdir_p} -m 0755 %{buildroot}/lib/systemd/system %{__install} -D -m 0644 -p snclient.service %{buildroot}/lib/systemd/system/snclient.service +%{__mkdir_p} -m 0755 %{buildroot}/lib/sysusers.d +%{__install} -D -m 0644 -p snclient.sysusers %{buildroot}/lib/sysusers.d/snclient.conf + +%{__mkdir_p} -m 0755 %{buildroot}/lib/tmpfiles.d +%{__install} -D -m 0644 -p snclient.tmpfiles %{buildroot}/lib/tmpfiles.d/snclient.conf + +%{__mkdir_p} -m 0755 %{buildroot}/etc/sudoers.d +%{__install} -D -m 0440 -p snclient.sudoers %{buildroot}/etc/sudoers.d/snclient + %{__mkdir_p} -m 0755 %{buildroot}/usr/share/snclient %{__install} -D -m 0644 -p README.md LICENSE %{buildroot}/usr/share/snclient @@ -57,11 +66,17 @@ gzip -n -9 %{buildroot}/usr/share/man/man8/snclient.8 case "$*" in 1) # First installation + # create user and files/folders + systemd-sysusers + systemd-tmpfiles --create + # start service systemctl --system daemon-reload >/dev/null || true systemctl enable snclient.service >/dev/null || true systemctl start snclient.service >/dev/null || true ;; 2) + # Post upgrade permissions fix + systemd-tmpfiles --create # Upgrading systemctl --system daemon-reload >/dev/null || true systemctl try-restart snclient.service >/dev/null || true @@ -106,8 +121,11 @@ exit 0 %attr(0755,root,root) /usr/bin/snclient %attr(0755,root,root) /usr/lib/snclient/node_exporter %attr(0644,root,root) /lib/systemd/system/snclient.service +%attr(0644,root,root) /lib/sysusers.d/snclient.conf +%attr(0644,root,root) /lib/tmpfiles.d/snclient.conf %dir %config(noreplace) /etc/snclient %config(noreplace) %attr(0600,root,root) /etc/snclient/snclient.ini +%config(noreplace) %attr(0440,root,root) /etc/sudoers.d/snclient %config(noreplace) %attr(0600,root,root) /etc/snclient/server.key %config(noreplace) %attr(0600,root,root) /etc/snclient/server.crt %config(noreplace) %attr(0600,root,root) /etc/snclient/cacert.pem diff --git a/packaging/snclient.sudoers b/packaging/snclient.sudoers new file mode 100644 index 00000000..7211b8d7 --- /dev/null +++ b/packaging/snclient.sudoers @@ -0,0 +1 @@ +Defaults:snclient !requiretty diff --git a/packaging/snclient.sysusers b/packaging/snclient.sysusers new file mode 100644 index 00000000..e8eb47ea --- /dev/null +++ b/packaging/snclient.sysusers @@ -0,0 +1,2 @@ +g snclient - - +u snclient - "Secure Naemon Client" /var/lib/snclient diff --git a/packaging/snclient.tmpfiles b/packaging/snclient.tmpfiles new file mode 100644 index 00000000..6b8ce5b8 --- /dev/null +++ b/packaging/snclient.tmpfiles @@ -0,0 +1,7 @@ +d /etc/snclient 0755 snclient snclient - - +Z /etc/snclient - snclient snclient - - + +d /var/lib/snclient 0750 snclient snclient - - +Z /var/lib/snclient - snclient snclient - - + +d /var/log/snclient 0750 snclient snclient - -