[pkg-bacula-devel] Bug#699149: Bug#699149: Bug#699149: bacula-fd: should not run as 'root' by default

Alexander Golovko alexandro at ankalagon.ru
Thu Jan 31 12:10:17 UTC 2013 

В Wed, 30 Jan 2013 11:19:13 +0200
Teodor MICU <mteodor at gmail.com> пишет:

> 2013/1/29 Alexander Golovko <alexandro at ankalagon.ru>:
> >>   ARGS="-u bacula -g bacula -k"
> >>
> >> I think that from a security perspective this should be the default
> >> on package installation.
> >
> > This will lead to impossibility to restore backups without
> > restarting bacula-fd. This is also can require changing user scripts
> > for dump databases and such. This can confuse peoples.
> 
> I'm having this setup and I can restore backups just fine. Of course,
> the restore directory must be rwx by bacula or mode 1777.

You lose files owner/group and acl on restoring.


> 
> About the other thing (ie. dump databases), I can't tell.
> 
> > I think, we should not change defaults, however, this functionality
> > described in README.Debian.gz (USERS & SECURITY).
> 
> But you do for bacula-dir and bacula-sd, why not for bacula-fd?
> 
> > bacula-fd init script correctly work without /e/d/bacula-fd.
> 
> Right. I thought that it depends on setting ENABLED="yes" but I see
> now that it checks for "no".
> 
> > But there is a reason for set defaults in init scripts for
> > bacula-director and bacula-sd and comment defaults in /e/d/bacula-*
> 
> Can you detail a little? I don't understand what you're trying to say.

/e/d/bacula-{dir,sd} has nonempty ARGS and bacula-{director,sd} will be
incorrectly runned under root privileges if defaults file missed.

This should be changed. Also, there is a reason, that we should provide
defaults in /e/d/bacula-* as comments. I think, this is will not be
included into wheezy, but it should be fixed in next versions.


-- 
with best regards,
Alexander Golovko
email: alexandro at ankalagon.ru
xmpp: alexandro at ankalagon.ru
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-bacula-devel/attachments/20130131/d8fb492c/attachment.pgp>

More information about the pkg-bacula-devel mailing list