[pkg-bacula-devel] Bug#683080: Bug#683080: Bug#683080: bacula-fd: Please build with libcap-dev
Luca Capello
luca at pca.it
Fri Aug 3 14:12:58 UTC 2012
Hi there!
Re-adding the BTS: Alexander, most of the time it is worth keeping the
BTS in the loop, given that it a way to document decisions.
On Mon, 30 Jul 2012 20:36:26 +0200, Alexander Golovko wrote:
> On Mon, 30 Jul 2012 14:31:15 +0100, Bart Swedrowski wrote:
>> On 28 July 2012 15:03, Elrond <elrond+bugs.debian.org at samba-tng.org>
>> wrote:
>>> Could you allow the "-k" option to bacula-fd?
>>>
>>> Starting with -k gives the following error:
>>>
>>> "Keep readall caps not implemented this OS or missing libraries."
>>>
>>> My current guess: bacula-fd is not linked to the libcap
>>> library. After a quick look at bacula's configure.in and
>>> src/lib/priv.c this seems to really be the case.
>>>
>>> So probably just having libcap-dev installed while
>>> building bacula should solve this.
>>
>> By default, Debian installation of bacula-fd runs it as root user so
>> having that option is pointless in current state of things. However,
>> the benefits of it are quite obvious and can potentially be useful
>> for
>> quite a wide range of users in my opinion.
>>
>> Upstream documentation about the "-k" option -
>>
>> http://www.bacula.org/en/dev-manual/main/main/New_Features_in_5_0_0.html#SECTION001080000000000000000
Copying here for future references:
Read-only File Daemon using capabilities
This feature implements support of keeping ReadAll capabilities after
UID/GID switch, this allows FD to keep root read but drop write
permission.
It introduces new bacula-fd option (-k) specifying that ReadAll
capabilities should be kept after UID/GID switch.
root at localhost:~# bacula-fd -k -u nobody -g nobody
The code for this feature was contributed by our friends at AltLinux.
>> I wouldn't mind adding this option however still stick to running
>> bacula-fd as a root user by default; if someone wants to make use of
>> "-k" option functionality they'll be able to do so via utilising
>> /etc/default/bacula-fd overrides.
>>
>> Luca, Alexandro - what's your view on this, guys?
>
> I'm sure, that this is usefull feature and we can build bacula-fd with
> it
I would go even further: if I read it correctly, this should improves
security, so I was wondering if it would be better to have it by
default...
Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-bacula-devel/attachments/20120803/8a95c121/attachment-0001.pgp>
More information about the pkg-bacula-devel
mailing list