[pkg-bacula-devel] Bug#699149: Bug#699149: bacula-fd: should not run as 'root' by default

Alexander Golovko alexandro at ankalagon.ru
Tue Jan 29 13:29:44 UTC 2013 

Severity: wishlist
--

В Mon, 28 Jan 2013 01:39:52 -0700
Teodor <mteodor at gmail.com> пишет:

> Package: bacula-fd
> Version: 5.2.6+dfsg-7
> Severity: normal
> 
> Hi,

Hi!

> 
> The other Bacula services are started by 'bacula' user. Only bacula-fd
> is started as 'root'. However, I've just discovered that it can
> function properly with limited privileges too.
> 
> For this one must edit /etc/default/bacula-df to contain:
> 
>   ARGS="-u bacula -g bacula -k"
> 
> I think that from a security perspective this should be the default
> on package installation.

This will lead to impossibility to restore backups without
restarting bacula-fd. This is also can require changing user scripts
for dump databases and such. This can confuse peoples.

I think, we should not change defaults, however, this functionality
described in README.Debian.gz (USERS & SECURITY).


> 
> Also, the init script file should work with defaults even if there is
> no content on /e/d/bacula-fd or is completely missing. This means that
> at install all default options should be provided as a
> comment/example:
> 
> #ENABLED="yes"
> #ARGS="-u bacula -g bacula -k"
> #CONFIG="/etc/bacula/bacula-fd.conf"

bacula-fd init script correctly work without /e/d/bacula-fd.
But there is a reason for set defaults in init scripts for
bacula-director and bacula-sd and comment defaults in /e/d/bacula-* 


> 
> Cheers
> 
> 
> -- System Information:
> Debian Release: 7.0
>   APT prefers testing
>   APT policy: (500, 'testing'), (200, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages bacula-fd depends on:
> ii  bacula-common  5.2.6+dfsg-7
> ii  libacl1        2.2.51-8
> ii  libc6          2.13-37
> ii  libcap2        1:2.22-1.2
> ii  libgcc1        1:4.7.2-5
> ii  libpython2.7   2.7.3-6
> ii  libssl1.0.0    1.0.1c-4
> ii  libstdc++6     4.7.2-5
> ii  libwrap0       7.6.q-24
> ii  lsb-base       4.1+Debian8
> ii  ucf            3.0025+nmu3
> ii  zlib1g         1:1.2.7.dfsg-13
> 
> bacula-fd recommends no packages.
> 
> Versions of packages bacula-fd suggests:
> pn  bacula-traymonitor  <none>
> 
> -- no debconf information
> 
> _______________________________________________
> pkg-bacula-devel mailing list
> pkg-bacula-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-bacula-devel
> 


-- 
with best regards,
Alexander Golovko
email: alexandro at ankalagon.ru
xmpp: alexandro at ankalagon.ru
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-bacula-devel/attachments/20130129/5e778489/attachment.pgp>

More information about the pkg-bacula-devel mailing list