[pkg-bacula-devel] user/group setting in init-scripts and units

Sven Hartge sven at svenhartge.de
Mon Jul 18 09:37:41 UTC 2016

Um 11:27 Uhr am 18.07.16 schrieb Sven Hartge:
> Um 11:21 Uhr am 18.07.16 schrieb Sven Hartge:
>> Maybe we need some capabilites in the filesystem, like ping does have.
>> CAP_DAC_READ_SEARCH seems about right: "Bypass file read permission 
>> checks and directory read and execute permission checks"
>> Also needs more investigation.
> I see from the source in src/lib/priv.c that Bacula already contains 
> support for capabilites and the binaries also link against libcap. But 
> this is Linux-only, isn't it? This would then not work on FreeBSD (or 
> Hurd), again complicating the init-scripts and package setup.

For Linux it works:

# setcap "cap_dac_read_search+ep" /usr/sbin/bacula-fd

# start-stop-daemon --start --chuid bacula:bacula --exec /usr/sbin/bacula-fd -- -c /etc/bacula/bacula-fd.conf

# (run backup job, containing files normally unreadable by user "bacula")
# (job works).

If I remove the capability, bacula-fd won't even start, because 
/etc/bacula/bacula-fd.conf is only readable by root.

So, yes, for Linux we could implement a non-root bacula-fd while still not 
using -u and -g.


More information about the pkg-bacula-devel mailing list