[pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
sven at svenhartge.de
Fri Mar 30 19:29:50 UTC 2018
On 30.03.2018 18:03, Julien Cristau wrote:
> On Sun, Mar 4, 2018 at 11:08:00 +0100, Carsten Leonhardt wrote:
>> Control: tags -1 - moreinfo
>> "Adam D. Barratt" <adam at adam-barratt.org.uk> writes:
>>> - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
>>> + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
>>> The first of those "-g" is presumably supposed to be "-u". I realise
>>> this may seem a small point, but it does make me wonder how it wasn't
>>> caught in testing.
>> Thank you for your work and for catching this. A new version of the
>> patch is attached.
> This leaves open the question of how much was this tested. Can you
> describe what has or hasn't been done there?
I tested the proposed packages in a SysV-Init-based Debian Stretch VM. I
can confirm every daemon runs as the user and group it is supposed to
root at debian-stretch:~# ps auwwx | grep [b]acula
root 5101 0.0 0.2 66988 5512 ? Ssl 21:16 0:00
/usr/sbin/bacula-fd -u root -g root -c /etc/bacula/bacula-fd.conf
bacula 5175 0.0 0.2 130420 5384 ? Ssl 21:16 0:00
/usr/sbin/bacula-sd -u bacula -g tape -c /etc/bacula/bacula-sd.conf
bacula 5403 0.0 0.3 74728 6628 ? Ssl 21:20 0:00
/usr/sbin/bacula-dir -u bacula -g bacula -c /etc/bacula/bacula-dir.conf
root at debian-stretch:~# ps -eo pid,comm,euser,supgrp | grep [b]acula
5101 bacula-fd root root
5175 bacula-sd bacula tape
5403 bacula-dir bacula tape,bacula
I also checked why I did not notice the problem Adam spotted in the
first place. I can only guess this happened because bacula-dir fell back
to running as "root" when no "-u bacula" was specified, which made all
my tests work as they should (because root has obviously no restrictions).
The reason for this fallback is the Debian package does not specify a
runtime user at build time. This was done in the past so that the
runtime user can be chosen by the admin of the system.
But since then we changed the packaging and got rid of this ability
because in reality nobody was doing this anyway and it complicated the
If the runtime user were set during package build, this problem would
not have occurred because the parameters -u and -g wouldn't be needed in
the first place.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the pkg-bacula-devel