[pkg-bacula-devel] user/group setting in init-scripts and units
sven at svenhartge.de
Mon Jul 18 09:21:23 UTC 2016
[I readded the mailinglist to keep the discussion in the archives.]
Um 10:43 Uhr am 18.07.16 schrieb Carsten Leonhardt:
>> But now, I came across Issue#1905
>> http://bugs.bacula.org/view.php?id=1905 from the Bacula bugtracker,
>> which states that if you use "-u" and "-g" you no longer can get an
>> automatic backtrace.
> Hm... ok, now that we know that something that doesn't work because of
> the way we start the daemons, you convinced me that we should change it.
> And you're probably right that someone who wanted to run bacula as a
> different user would have compiled it on their own. Especially if we
> consider that bacula packaging was stalled for quite a while.
I created a test-branch to play around with this, you can find my changes
as systemd-fixuser. I had to remove the $ARGS variable from all
start-stop-daemon calls, as its content would be incompatible with the new
startup and I think we don't need it, as there are no useful changable
parameters not dealing with debugging. (Besides -u and -g which we are
getting rid of.)
> Currently we lack a suggests: or recommends: gdb though, I'll put that
> in. I think Suggests: would be sufficient.
I think so too, Recommends: is to strong in this case, as it would pull in
gdb on nearly every system.
>> In my opinion we should remove that option from the packages,
>> simplifying both the init-script and the systemd units.
> We'll have to put a warning somewhere, my first idea would be
> There is one application for a changed user:group though, and that is
> for bacula-fd. Using capabilities it's possible to retain read access to
> the whole file system after dropping all other privileges¹. I learned
> this after I wrote the last reply to
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699149 - I should put
> an updated note there.
Interesting, I did not know about that. But I think this will not work, if
the switch to a different user is done before the start of bacula-fd, like
the upstream init scripts and systemd units do.
This needs more investigation, but right now I am under the impression
that "-k" is mutually exclusive to using --chuid of start-stop-daemon or
User=/Group= of systemd.
Maybe we need some capabilites in the filesystem, like ping does have.
CAP_DAC_READ_SEARCH seems about right: "Bypass file read permission
checks and directory read and execute permission checks"
Also needs more investigation.
More information about the pkg-bacula-devel