[pkg-bacula-devel] Hardening systemd

Sven Hartge sven at svenhartge.de
Fri Dec 28 23:09:35 GMT 2018


On 27.12.18 19:34, Sven Hartge wrote:

> The normal backup and catalog backups run as you would expect, restores
> also work fine and this time I double-checked all permissions, users,
> ACLs and attributes have also been restored correctly.

Clearly, this wasn't the case.

Lesson one: when testing something, you need to make sure you are
*really* testing, what you want to test.

Lesson two: when testing something, you need to make sure you can
reproduce the results multiple times.

Lessen three: Sven can *not* be trusted around capabilities, as this is
the *third* time he messed this up.

Capabilities are something really power- and useful, *but* one needs to
be careful with them. Remove all capabilities from root and he is no
more powerful than any other user.

For the DIR and the SD having no capabilities is fine, they run as a
non-root user anyway, but the FD of course needs more capabilities to do
his job.

With my latest change I restored this state to restore working order.

But one *can* remove some capabilities from the FD, just not *all*.

I need to identify those unnecessary capabilities and backlist them
one-by-one or whitelist the ones the FD needs.

As a daemon running as root removing dangerous stuff can be more
important then doing so for an already restricted user.

Grüße,
Sven.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-bacula-devel/attachments/20181229/c0dbe60b/attachment.sig>


More information about the pkg-bacula-devel mailing list