[pkg-bacula-devel] Bug#910927: bacula-sd.service should specify SupplementaryGroups=bacula

Sergio Gelato Sergio.Gelato at astro.su.se
Sat Oct 13 14:21:08 BST 2018

Package: bacula-sd
Version: 7.4.4+dfsg-6

There is a difference in behaviour between the SystemV init script,
/etc/init.d/bacula-sd, and its systemd counterpart. The former starts
/usr/sbin/bacula-sd as root with command-line arguments to specify the
uid and gid to run as, while in the latter systemd starts the daemon
with User=bacula and Group=tape. This difference has an impact on the
running daemon's supplementary group list: in the SystemV case this
includes group bacula, but not in the systemd case.

This can lead to problems when switching from SystemV to systemd (e.g.,
on upgrade from jessie to stretch) if the administrator has chosen to
rely on membership in group bacula for access control. One scenario where
this will occur is if bacula-sd is configured to use TLS credentials and
the secret key is owned by root:bacula and not readable by others. (One
may want the daemon to only have read access to the key, and group tape
may have other members who should not have access.)

Adding /etc/systemd/system/bacula-sd.service.d/groups.conf with


has been verified to cure the symptoms. I suggest including this setting
in /lib/systemd/system/bacula-sd.service .

More information about the pkg-bacula-devel mailing list