[pkg-bacula-devel] Bug#683080: Bug#683080: Bug#683080: bacula-fd: Please build with libcap-dev
Alexander Golovko
alexandro at ankalagon.ru
Mon Aug 6 06:52:31 UTC 2012
В Fri, 03 Aug 2012 16:12:58 +0200
Luca Capello <luca at pca.it> пишет:
> Hi there!
>
> Re-adding the BTS: Alexander, most of the time it is worth keeping the
> BTS in the loop, given that it a way to document decisions.
>
> On Mon, 30 Jul 2012 20:36:26 +0200, Alexander Golovko wrote:
> > On Mon, 30 Jul 2012 14:31:15 +0100, Bart Swedrowski wrote:
> >> On 28 July 2012 15:03, Elrond
> >> <elrond+bugs.debian.org at samba-tng.org> wrote:
> >>> Could you allow the "-k" option to bacula-fd?
> >>>
> >>> Starting with -k gives the following error:
> >>>
> >>> "Keep readall caps not implemented this OS or missing
> >>> libraries."
> >>>
> >>> My current guess: bacula-fd is not linked to the libcap
> >>> library. After a quick look at bacula's configure.in and
> >>> src/lib/priv.c this seems to really be the case.
> >>>
> >>> So probably just having libcap-dev installed while
> >>> building bacula should solve this.
> >>
> >> By default, Debian installation of bacula-fd runs it as root user
> >> so having that option is pointless in current state of things.
> >> However, the benefits of it are quite obvious and can potentially
> >> be useful for
> >> quite a wide range of users in my opinion.
> >>
> >> Upstream documentation about the "-k" option -
> >>
> >> http://www.bacula.org/en/dev-manual/main/main/New_Features_in_5_0_0.html#SECTION001080000000000000000
>
> Copying here for future references:
>
> Read-only File Daemon using capabilities
>
> This feature implements support of keeping ReadAll capabilities
> after UID/GID switch, this allows FD to keep root read but drop write
> permission.
>
> It introduces new bacula-fd option (-k) specifying that ReadAll
> capabilities should be kept after UID/GID switch.
>
> root at localhost:~# bacula-fd -k -u nobody -g nobody
>
> The code for this feature was contributed by our friends at
> AltLinux.
>
> >> I wouldn't mind adding this option however still stick to running
> >> bacula-fd as a root user by default; if someone wants to make use
> >> of "-k" option functionality they'll be able to do so via utilising
> >> /etc/default/bacula-fd overrides.
> >>
> >> Luca, Alexandro - what's your view on this, guys?
> >
> > I'm sure, that this is usefull feature and we can build bacula-fd
> > with it
>
> I would go even further: if I read it correctly, this should improves
> security, so I was wondering if it would be better to have it by
> default...
Yes, but enabling this feature cause all bacula binaries and libraries
link with libcap2. So, i need some more investigation for add
capabilities support
>
> Thx, bye,
> Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-bacula-devel/attachments/20120806/7a877d73/attachment.pgp>
More information about the pkg-bacula-devel
mailing list