[pkg-bacula-devel] user/group setting in init-scripts and units
Sven Hartge
sven at svenhartge.de
Mon Jul 18 09:37:41 UTC 2016
Um 11:27 Uhr am 18.07.16 schrieb Sven Hartge:
> Um 11:21 Uhr am 18.07.16 schrieb Sven Hartge:
>> Maybe we need some capabilites in the filesystem, like ping does have.
>> CAP_DAC_READ_SEARCH seems about right: "Bypass file read permission
>> checks and directory read and execute permission checks"
>> Also needs more investigation.
> I see from the source in src/lib/priv.c that Bacula already contains
> support for capabilites and the binaries also link against libcap. But
> this is Linux-only, isn't it? This would then not work on FreeBSD (or
> Hurd), again complicating the init-scripts and package setup.
For Linux it works:
# setcap "cap_dac_read_search+ep" /usr/sbin/bacula-fd
# start-stop-daemon --start --chuid bacula:bacula --exec /usr/sbin/bacula-fd -- -c /etc/bacula/bacula-fd.conf
# (run backup job, containing files normally unreadable by user "bacula")
# (job works).
If I remove the capability, bacula-fd won't even start, because
/etc/bacula/bacula-fd.conf is only readable by root.
So, yes, for Linux we could implement a non-root bacula-fd while still not
using -u and -g.
Grüße,
Sven
More information about the pkg-bacula-devel
mailing list