icinga2 icon indicating copy to clipboard operation
icinga2 copied to clipboard
verified publisher icon Icinga

cd to the icinga2 user's home directory

Open mphilipps opened this issue 5 years ago • 6 comments

Icinga2's cwd is inherited by all checkcommands and such should be set a sane value regardless of how and where the init script was called.

fixes #7756

mphilipps avatar Feb 14 '20 14:02 mphilipps

Also something to note: The code above it doesn't work. ( ) creates a subshell and exit just exits the subshell and continues with the base script.

mphilipps avatar Feb 14 '20 14:02 mphilipps

Good catch, this has been sitting there since 5 years with https://github.com/Icinga/icinga2/commit/9f0e0aac869b2ca7c7b9e438eb6cb4414cbf0978

I'm not a Bash programmer, maybe you can do us a favor and fix that as well in a separate PR? :)

dnsmichi avatar Feb 14 '20 15:02 dnsmichi

First of all, sorry for having this lie around for so long.

I presume that the choice of the home directory instead of / is due to https://github.com/Icinga/icinga2/pull/7803#issuecomment-580651448:

A service should not work in / instead of its own working directory. User icinga has a home directory of /var/spool/icinga2 which would be better suited. From SELinux perspective / is root_t which I will not allow access to for anything.

However, our systemd unit also starts with / as the working directory (verified on Debian 10 with the 2.12.4 package from packages.icinga.com), so I think this a sane choice and seems to cause no problems in general. For consistency and because you might end up with something like /var/lib/nagios on Debian, I think / would be the better choice. This change isn't about giving plugins the ability to use relative paths for file operations but rather providing them with a sane environment where accessing . does not fail.

@dgoetz Do you have any objections to this?

julianbrost avatar Jun 21 '21 12:06 julianbrost

I also opt for /. It's the last resort.

Al2Klimov avatar Jan 20 '23 11:01 Al2Klimov

@cla-bot check

Al2Klimov avatar May 28 '25 11:05 Al2Klimov

Thank you for your pull request. Before we can look at it, you'll need to sign a Contributor License Agreement (CLA).

Please follow instructions at https://icinga.com/company/contributor-agreement to sign the CLA.

After that, please reply here with a comment and we'll verify.

Contributors that have not signed yet: @mphilipps

  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Please contact us if you think this is the case.

  • If you signed the CLA as a corporation, your GitHub username may not have been submitted to us. Please reach out to the responsible person in your organization.

cla-bot[bot] avatar May 28 '25 11:05 cla-bot[bot]