[pkg-bacula-devel] user/group setting in init-scripts and units

Sven Hartge sven at svenhartge.de
Mon Jul 18 09:43:21 UTC 2016

Um 11:36 Uhr am 18.07.16 schrieb Carsten Leonhardt:

>>> Maybe we need some capabilites in the filesystem, like ping does have. 
>>> CAP_DAC_READ_SEARCH seems about right: "Bypass file read permission 
>>> checks and directory read and execute permission checks" Also needs 
>>> more investigation.

>> I see from the source in src/lib/priv.c that Bacula already contains 
>> support for capabilites and the binaries also link against libcap. But 
>> this is Linux-only, isn't it? This would then not work on FreeBSD (or 
>> Hurd), again complicating the init-scripts and package setup.
> yes, and I don't think that we will actively support this Debian. If 
> someone wants to run bacula-fd like that, they will have to override the 
> defaults somehow. With sysvinit, that would be possible in 
> /etc/defaults/bacula-fd and IIRC someplace else with systemd.

We could set the needed capabilities (see other mail), if user then wants 
to change the runtime user of bacula-fd, he would have less work to do.

Running bacula-fd as bacula:bacula could then be a simple switch in 
/etc/defaults/bacula-fd (ENABLE_NONROOT=true) and a short notice how to 
override the user for the systemd unit (no other clean way to do it from 
defaults/bacula-fd, I am afraid).


More information about the pkg-bacula-devel mailing list