[pkg-bacula-devel] Bug#910927: bacula-sd.service should specify SupplementaryGroups=bacula

[Sergio Gelato]

Package: bacula-sd
Version: 7.4.4+dfsg-6

There is a difference in behaviour between the SystemV init script,
/etc/init.d/bacula-sd, and its systemd counterpart. The former starts
/usr/sbin/bacula-sd as root with command-line arguments to specify the
uid and gid to run as, while in the latter systemd starts the daemon
with User=bacula and Group=tape. This difference has an impact on the
running daemon's supplementary group list: in the SystemV case this
includes group bacula, but not in the systemd case.

This can lead to problems when switching from SystemV to systemd (e.g.,
on upgrade from jessie to stretch) if the administrator has chosen to
rely on membership in group bacula for access control. One scenario where
this will occur is if bacula-sd is configured to use TLS credentials and
the secret key is owned by root:bacula and not readable by others. (One
may want the daemon to only have read access to the key, and group tape
may have other members who should not have access.)

Adding /etc/systemd/system/bacula-sd.service.d/groups.conf with

[Service]
SupplementaryGroups=bacula

has been verified to cure the symptoms. I suggest including this setting
in /lib/systemd/system/bacula-sd.service .