John Drescher wrote:
> On Tue, Nov 18, 2008 at 12:03 PM, Kevin Keane <subscription AT kkeane DOT
> com> wrote:
>
>> In the documentation, I saw the tip to run the director and the SD as a
>> non-root user (
>> http://www.bacula.org/en/rel-manual/Bacula_Security_Issues.html#SECTION004630000000000000000
>> ) I like that idea very much.
>>
>> But I can't quite figure out how to actually do it, because I can't
>> figure out how to tell bacula-dir and bacula-sd to become user "bacula"
>> instead of continuing to run as root. What am I missing?
>>
>>
>
> You need to edit your startup scripts. This tends to be distribution
> specific so you might want to ask your distro. Or at minimum tell us
> what distro you are using.
>
> John
>
OK, I think there actually is a lot more to it than that, and in the end
I wasn't able to get it to work. Let me still write it up so you can
hopefully just copy and paste it into the documentation:
There are a couple of additional issues. I am running OpenSUSE 10.3 (64
bit) but these issues probably are similar on most LSB- compliant
distributions:
- You must edit the init scripts. In /etc/init.d/rcbacula-sd and
/etc/init.d/rcbacula-dir, add the parameters -u bacula -g bacula to the
call of startproc.
- Make sure the bacula user can execute the bacula binaries: chgrp
bacula /usr/sbin/bacula-*
- double-check that the user bacula is a member of the group bacula,
especially if you used Yast or useradd or a similar tool to create the user.
- One problem I haven't found a solution to is that the /var/run
directory where the pid file goes is only writable by root.
There may be additional issues that I haven't found yet.
In the end, I think the better solution would be for bacula-sd and
bacula-dir to take the user name as a parameter, start up as root, and
then drop privileges after writing the pid file.
Suggestion for bacula 3.0: it would be even better if bacula-dir could
run in a chroot jail. Not sure if it's possible to make bacula-sd run in
a chroot jail as well.
--
Kevin Keane
Owner
The NetTech
Turn your NetWORRY into a NetWORK!
Office: 866-642-7116
http://www.4nettech.com
This e-mail and attachments, if any, may contain confidential and/or
proprietary information. Please be advised that the unauthorized use or
disclosure of the information is strictly prohibited. The information herein is
intended only for use by the intended recipient(s) named above. If you have
received this transmission in error, please notify the sender immediately and
permanently delete the e-mail and any copies, printouts or attachments thereof.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|