[pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

Sven Hartge sven at svenhartge.de
Fri Mar 30 19:29:50 UTC 2018

On 30.03.2018 18:03, Julien Cristau wrote:
> On Sun, Mar  4, 2018 at 11:08:00 +0100, Carsten Leonhardt wrote:
>> Control: tags -1 - moreinfo
>> "Adam D. Barratt" <adam at adam-barratt.org.uk> writes:
>>> -		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
>>> +		--oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
>>> The first of those "-g" is presumably supposed to be "-u". I realise
>>> this may seem a small point, but it does make me wonder how it wasn't
>>> caught in testing.
>> Thank you for your work and for catching this. A new version of the
>> patch is attached.
> This leaves open the question of how much was this tested.  Can you
> describe what has or hasn't been done there?

I tested the proposed packages in a SysV-Init-based Debian Stretch VM. I
can confirm every daemon runs as the user and group it is supposed to
run as.

root at debian-stretch:~# ps auwwx | grep [b]acula
root      5101  0.0  0.2  66988  5512 ?        Ssl  21:16   0:00
/usr/sbin/bacula-fd -u root -g root -c /etc/bacula/bacula-fd.conf
bacula    5175  0.0  0.2 130420  5384 ?        Ssl  21:16   0:00
/usr/sbin/bacula-sd -u bacula -g tape -c /etc/bacula/bacula-sd.conf
bacula    5403  0.0  0.3  74728  6628 ?        Ssl  21:20   0:00
/usr/sbin/bacula-dir -u bacula -g bacula -c /etc/bacula/bacula-dir.conf

root at debian-stretch:~# ps -eo pid,comm,euser,supgrp | grep [b]acula
 5101 bacula-fd       root     root
 5175 bacula-sd       bacula   tape
 5403 bacula-dir      bacula   tape,bacula

I also checked why I did not notice the problem Adam spotted in the
first place. I can only guess this happened because bacula-dir fell back
to running as "root" when no "-u bacula" was specified, which made all
my tests work as they should (because root has obviously no restrictions).

The reason for this fallback is the Debian package does not specify a
runtime user at build time. This was done in the past so that the
runtime user can be chosen by the admin of the system.

But since then we changed the packaging and got rid of this ability
because in reality nobody was doing this anyway and it complicated the

If the runtime user were set during package build, this problem would
not have occurred because the parameters -u and -g wouldn't be needed in
the first place.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-bacula-devel/attachments/20180330/a95e1018/attachment.sig>

More information about the pkg-bacula-devel mailing list