Skip to content

run snclient as snclient user on linux #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BlackIkeEagle wants to merge 4 commits into
base: main
Choose a base branch
from
Open

run snclient as snclient user on linux #310

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
490d1b0
run snclient as snclient user in systemd based distros
BlackIkeEagle Jan 8, 2026
423b3a7
make sure e2e deb test gets the correct permissions
BlackIkeEagle Jan 21, 2026
c1aeaeb
packaging/alpine : acpid -> snclient in initd file
BlackIkeEagle Jan 21, 2026
a0d52fd
run as snclient user in Alpine Linux
BlackIkeEagle Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -449,6 +449,9 @@ deb: | dist
build-deb/usr/lib/snclient \
build-deb/usr/bin \
build-deb/lib/systemd/system \
build-deb/lib/sysusers.d \
build-deb/lib/tmpfiles.d \
build-deb/etc/sudoers.d \
build-deb/etc/logrotate.d \
build-deb/usr/share/doc/snclient \
build-deb/usr/share/doc/snclient \
Expand All @@ -467,6 +470,9 @@ deb: | dist
cp ./dist/snclient.ini ./dist/server.crt ./dist/server.key ./dist/cacert.pem ./build-deb/etc/snclient
cp -p ./dist/snclient build-deb/usr/bin/snclient
cp ./packaging/snclient.service build-deb/lib/systemd/system/
cp ./packaging/snclient.sysusers build-deb/lib/sysusers.d/snclient.conf
cp ./packaging/snclient.tmpfiles build-deb/lib/tmpfiles.d/snclient.conf
cp ./packaging/snclient.sudoers build-deb/etc/sudoers.d/snclient
cp ./packaging/snclient.logrotate build-deb/etc/logrotate.d/snclient
cp Changes build-deb/usr/share/doc/snclient/Changes
dch --empty --create --newversion "$(VERSION)" --package "snclient" -D "UNRELEASED" --urgency "low" -c build-deb/usr/share/doc/snclient/changelog "new upstream release"
Expand All @@ -484,6 +490,8 @@ deb: | dist
chmod 755 \
build-deb/usr/bin/snclient \
build-deb/usr/lib/snclient/node_exporter
chmod 0750 build-deb/etc/sudoers.d
chmod 0440 build-deb/etc/sudoers.d/snclient

cp -p dist/snclient.1 build-deb/usr/share/man/man1/snclient.1
gzip -n -9 build-deb/usr/share/man/man1/snclient.1
Expand All @@ -497,6 +505,9 @@ deb: | dist
rpm: | dist
rm -rf snclient-$(VERSION)
cp ./packaging/snclient.service dist/
cp ./packaging/snclient.sysusers dist/
cp ./packaging/snclient.tmpfiles dist/
cp ./packaging/snclient.sudoers dist/
cp ./packaging/snclient.spec dist/
sed -i dist/snclient.spec -e 's|^Version: .*|Version: $(VERSION)|'
sed -i dist/snclient.spec -e 's|^BuildArch: .*|BuildArch: $(RPM_ARCH)|'
Expand Down Expand Up @@ -531,6 +542,11 @@ apk: | dist
cp ./packaging/APKBUILD dist/
cp ./packaging/snclient.initd dist/
cp ./packaging/snclient.post-install dist/
cp ./packaging/snclient.pre-upgrade dist/
cp ./packaging/snclient.post-upgrade dist/
cp ./packaging/snclient.pre-deinstall dist/
cp ./packaging/snclient.post-deinstall dist/
cp ./packaging/snclient.sudoers dist/
sed -i dist/APKBUILD -e 's|^pkgver=.*|pkgver=$(VERSION)|'
sed -i dist/APKBUILD -e 's|^arch=.*|arch=$(RPM_ARCH)|'
cp -rp dist snclient-$(VERSION)
Expand Down
12 changes: 9 additions & 3 deletions packaging/APKBUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,10 @@ pkgdesc="SNClient (Secure Naemon Client) is a general-purpose monitoring agent."
url="https://github.com/Consol-Monitoring/snclient/"
arch="all"
license="MIT"
depends="openrc logrotate"
depends="openrc logrotate sudo"
makedepends=""
source="snclient snclient.confd server.key server.crt cacert.pem snclient.logrotate README.md LICENSE snclient.1 snclient.8 snclient.initd node_exporter"
install="$pkgname.post-install $pkgname.pre-upgrade $pkgname.post-upgrade $pkgname.pre-deinstall $pkgname.post-deinstall"
source="snclient snclient.confd server.key server.crt cacert.pem snclient.logrotate snclient.sudoers README.md LICENSE snclient.1 snclient.8 snclient.initd node_exporter"

package() {
install -Dm755 "$srcdir/snclient" "$pkgdir/usr/bin/snclient"
Expand All @@ -22,6 +23,9 @@ package() {

install -Dm644 "$srcdir/snclient.logrotate" "$pkgdir/etc/logrotate.d/snclient"

install -dm750 "$pkgdir/etc/sudoers.d"
install -Dm440 "$srcdir/snclient.sudoers" "$pkgdir/etc/sudoers.d/snclient"

install -Dm644 "$srcdir/README.md" "$pkgdir/usr/share/doc/$pkgname/README.md"
install -Dm644 "$srcdir/LICENSE" "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
install -Dm644 "$srcdir/snclient.1" "$pkgdir/usr/share/man/man1/snclient.1"
Expand All @@ -31,5 +35,7 @@ package() {

install -Dm755 "$srcdir/snclient.initd" "$pkgdir/etc/init.d/snclient"

mkdir -p "$pkgdir/var/log/snclient"
# Create directories (ownership set in post-install after user creation)
install -dm750 "$pkgdir/var/lib/snclient"
install -dm750 "$pkgdir/var/log/snclient"
}
1 change: 1 addition & 0 deletions packaging/debian/conffiles
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@
/etc/snclient/server.key
/etc/snclient/cacert.pem
/etc/logrotate.d/snclient
/etc/sudoers.d/snclient
2 changes: 1 addition & 1 deletion packaging/debian/control
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Version: UNSET
Section: net
Priority: optional
Architecture: UNSET
Depends: logrotate
Depends: logrotate, systemd
Standards-Version: 3.9.8
Suggests: monitoring-plugins-basic
Maintainer: Sven Nierlein <sven@consol.de>
Expand Down
6 changes: 6 additions & 0 deletions packaging/debian/postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ case "$1" in
/etc/snclient/server.crt \
/etc/snclient/cacert.pem \
|| :
if [ -x "/usr/bin/systemd-sysusers" ]; then
systemd-sysusers
fi
if [ -x "/usr/bin/systemd-tmpfiles" ]; then
systemd-tmpfiles --create
fi
if [ -x "/usr/bin/deb-systemd-helper" ]; then
deb-systemd-helper unmask snclient.service
if deb-systemd-helper --quiet was-enabled snclient.service; then
Expand Down
13 changes: 9 additions & 4 deletions packaging/snclient.initd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,20 @@ supervisor="supervise-daemon"
command="/usr/bin/snclient"
command_args="--config /etc/snclient/snclient.ini"
command_args_background="--pidfile ${pidfile} daemon"
command_user="root:root"
pidfile="/var/run/snclient.pid"
command_user="snclient:snclient"
pidfile="/run/snclient/snclient.pid"
directory="/var/lib/snclient"

start_pre() {
checkpath --directory --owner snclient:snclient --mode 0755 /run/snclient
}

reload() {
ebegin "Reloading acpid configuration"
ebegin "Reloading snclient configuration"
${supervisor} ${RC_SVCNAME} --signal HUP --pidfile "${pidfile}"
eend $?
}

depend() {
need net
}
}
6 changes: 6 additions & 0 deletions packaging/snclient.post-deinstall
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,9 @@

# remove leftover additional config files.
rm -rf /etc/snclient
rm -rf /var/lib/snclient
rm -rf /var/log/snclient

# Optionally remove user/group (uncomment if desired)
# deluser snclient 2>/dev/null || true
# delgroup snclient 2>/dev/null || true
20 changes: 19 additions & 1 deletion packaging/snclient.post-install
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,22 @@
#!/bin/sh

# Create snclient group if it doesn't exist
if ! getent group snclient >/dev/null; then
addgroup -S snclient
fi

# Create snclient user if it doesn't exist
if ! getent passwd snclient >/dev/null; then
adduser -S -D -H -h /var/lib/snclient -s /sbin/nologin -G snclient -g "Secure Naemon Client" snclient
fi

# Create and set permissions on directories
install -d -m 0755 -o snclient -g snclient /etc/snclient
install -d -m 0750 -o snclient -g snclient /var/lib/snclient
install -d -m 0750 -o snclient -g snclient /var/log/snclient

# Fix ownership of config files
chown -R snclient:snclient /etc/snclient

rc-update -q add snclient default
rc-service -q snclient start
rc-service -q snclient start
14 changes: 13 additions & 1 deletion packaging/snclient.post-upgrade
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,15 @@
#!/bin/sh

rc-service -q snclient start
# Ensure user/group exist (in case of upgrade from old version)
if ! getent group snclient >/dev/null; then
addgroup -S snclient
fi

if ! getent passwd snclient >/dev/null; then
adduser -S -D -H -h /var/lib/snclient -s /sbin/nologin -G snclient -g "Secure Naemon Client" snclient
fi

# Fix ownership of directories and files
chown -R snclient:snclient /etc/snclient /var/lib/snclient /var/log/snclient 2>/dev/null || true

rc-service -q snclient restart
6 changes: 3 additions & 3 deletions packaging/snclient.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ After=network.target

[Service]
Type=simple
User=root
User=snclient
Group=snclient

Restart=on-failure
RestartSec=10

WorkingDirectory=/
WorkingDirectory=/var/lib/snclient
ExecStart=/usr/bin/snclient --config=/etc/snclient/snclient.ini
ExecStartPre=/bin/mkdir -p /var/log/snclient
ExecReload=/bin/kill -HUP $MAINPID

[Install]
Expand Down
20 changes: 19 additions & 1 deletion packaging/snclient.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ URL: https://github.com/Consol-Monitoring/snclient/
Source0: snclient-%{version}.tar.gz
Group: Applications/System
Summary: Monitoring Agent
Requires: logrotate
Requires: logrotate, systemd

%description
SNClient (Secure Naemon Client) is a general purpose monitoring agent designed
Expand Down Expand Up @@ -41,6 +41,15 @@ It supports Prometheus, NRPE and a REST API HTTP(s) protocol to run checks.
%{__mkdir_p} -m 0755 %{buildroot}/lib/systemd/system
%{__install} -D -m 0644 -p snclient.service %{buildroot}/lib/systemd/system/snclient.service

%{__mkdir_p} -m 0755 %{buildroot}/lib/sysusers.d
%{__install} -D -m 0644 -p snclient.sysusers %{buildroot}/lib/sysusers.d/snclient.conf

%{__mkdir_p} -m 0755 %{buildroot}/lib/tmpfiles.d
%{__install} -D -m 0644 -p snclient.tmpfiles %{buildroot}/lib/tmpfiles.d/snclient.conf

%{__mkdir_p} -m 0755 %{buildroot}/etc/sudoers.d
%{__install} -D -m 0440 -p snclient.sudoers %{buildroot}/etc/sudoers.d/snclient

%{__mkdir_p} -m 0755 %{buildroot}/usr/share/snclient
%{__install} -D -m 0644 -p README.md LICENSE %{buildroot}/usr/share/snclient

Expand All @@ -57,11 +66,17 @@ gzip -n -9 %{buildroot}/usr/share/man/man8/snclient.8
case "$*" in
1)
# First installation
# create user and files/folders
systemd-sysusers
systemd-tmpfiles --create
# start service
systemctl --system daemon-reload >/dev/null || true
systemctl enable snclient.service >/dev/null || true
systemctl start snclient.service >/dev/null || true
;;
2)
# Post upgrade permissions fix
systemd-tmpfiles --create
# Upgrading
systemctl --system daemon-reload >/dev/null || true
systemctl try-restart snclient.service >/dev/null || true
Expand Down Expand Up @@ -106,8 +121,11 @@ exit 0
%attr(0755,root,root) /usr/bin/snclient
%attr(0755,root,root) /usr/lib/snclient/node_exporter
%attr(0644,root,root) /lib/systemd/system/snclient.service
%attr(0644,root,root) /lib/sysusers.d/snclient.conf
%attr(0644,root,root) /lib/tmpfiles.d/snclient.conf
%dir %config(noreplace) /etc/snclient
%config(noreplace) %attr(0600,root,root) /etc/snclient/snclient.ini
%config(noreplace) %attr(0440,root,root) /etc/sudoers.d/snclient
%config(noreplace) %attr(0600,root,root) /etc/snclient/server.key
%config(noreplace) %attr(0600,root,root) /etc/snclient/server.crt
%config(noreplace) %attr(0600,root,root) /etc/snclient/cacert.pem
Expand Down
1 change: 1 addition & 0 deletions packaging/snclient.sudoers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Defaults:snclient !requiretty
2 changes: 2 additions & 0 deletions packaging/snclient.sysusers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
g snclient - -
u snclient - "Secure Naemon Client" /var/lib/snclient
7 changes: 7 additions & 0 deletions packaging/snclient.tmpfiles
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
d /etc/snclient 0755 snclient snclient - -
Z /etc/snclient - snclient snclient - -

d /var/lib/snclient 0750 snclient snclient - -
Z /var/lib/snclient - snclient snclient - -

d /var/log/snclient 0750 snclient snclient - -
23 changes: 21 additions & 2 deletions t/40_e2e_deb_linux_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,13 @@ func TestDEBinstaller(t *testing.T) {
for _, file := range requiredFiles {
require.FileExistsf(t, file, file+" has been installed")
}
requiredFolders := []string{
"/var/lib/snclient",
"/var/log/snclient",
}
for _, folder := range requiredFolders {
require.DirExistsf(t, folder, folder+" has been created")
}

runCmd(t, &cmd{
Cmd: "/usr/bin/snclient",
Expand All @@ -66,7 +73,7 @@ func TestDEBinstaller(t *testing.T) {
Like: []string{`/usr/bin/snclient`, `running`},
})

// add custom .ini
// add custom .ini with correct ownership for snclient user
runCmd(t, &cmd{
Cmd: "sudo",
Args: []string{"touch", localDEBINIPath},
Expand All @@ -76,6 +83,14 @@ func TestDEBinstaller(t *testing.T) {
Args: []string{"chmod", "666", localDEBINIPath},
})
writeFile(t, localDEBINIPath, localTestINI)
runCmd(t, &cmd{
Cmd: "sudo",
Args: []string{"chown", "snclient:snclient", localDEBINIPath},
})
runCmd(t, &cmd{
Cmd: "sudo",
Args: []string{"chmod", "640", localDEBINIPath},
})
writeFile(t, `snclient.ini`, localDaemonINI)

runCmd(t, &cmd{
Expand Down Expand Up @@ -104,7 +119,11 @@ func TestDEBinstaller(t *testing.T) {
Like: []string{"OK - CPU load is ok."},
})

// make logfile readable and check for errors
// make logfolder and logfile readable and check for errors
runCmd(t, &cmd{
Cmd: "sudo",
Args: []string{"chmod", "755", "/var/log/snclient"},
})
runCmd(t, &cmd{
Cmd: "sudo",
Args: []string{"chmod", "666", "/var/log/snclient/snclient.log"},
Expand Down