@@ -170,10 +170,26 @@ munin-run <plugin_name> config # test config output
munin-run <plugin_name> # test value output
```
-Note: on systems where munin-node runs with `ProtectHome=yes` (systemd), plugins running as non-root users cannot access `/home/`. Either run as `user root` or place data outside `/home/`.
+Note: Debian's munin-node ships with `ProtectHome=yes` in systemd, which hides `/home/` from the entire process namespace regardless of user; `user root` in plugin-conf.d doesn't help. See [ProtectHome](#protecthome-and-home-access) for workarounds.
After installing or removing plugins: `systemctl restart munin-node`
+## ProtectHome and /home/ access
+
+`ProtectHome=yes` mounts `/home/`, `/root`, `/run/user` as empty tmpfs. No user can see through it.
+
+Fix with
+
+```bash
+sudo mkdir -p /etc/systemd/system/munin-node.service.d
+printf '[Service]\nProtectHome=read-only\n' | sudo tee /etc/systemd/system/munin-node.service.d/override.conf
+sudo systemctl daemon-reload && sudo systemctl restart munin-node
+```
+
+Alternatives: `ProtectHome=tmpfs` + `BindReadOnlyPaths=` for selective exposure, or move data outside `/home/`.
+
+**Pitfall**: even with `ProtectHome=read-only`, a 750 home directory blocks the `munin` user from traversing the path. Use `user root` in plugin-conf.d for such cases.
+
## Alerting
Alerts are configured in `/etc/munin/munin.conf` on the master. A contact is a command that receives alert text on stdin.