Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] How to run bacula dir and sd as non-root?

2008-11-19 03:36:08
Subject: Re: [Bacula-users] How to run bacula dir and sd as non-root?
From: Kevin Keane <subscription AT kkeane DOT com>
Date: Wed, 19 Nov 2008 00:32:43 -0800 
John Drescher wrote:
> On Tue, Nov 18, 2008 at 12:03 PM, Kevin Keane <subscription AT kkeane DOT 
> com> wrote:
>   
>> In the documentation, I saw the tip to run the director and the SD as a
>> non-root user (
>> http://www.bacula.org/en/rel-manual/Bacula_Security_Issues.html#SECTION004630000000000000000
>> ) I like that idea very much.
>>
>> But I can't quite figure out how to actually do it, because I can't
>> figure out how to tell bacula-dir and bacula-sd to become user "bacula"
>> instead of continuing to run as root. What am I missing?
>>
>>     
>
> You need to edit your startup scripts. This tends to be distribution
> specific so you might want to ask your distro. Or at minimum tell us
> what distro you are using.
>
> John
>   
OK, I think there actually is a lot more to it than that, and in the end 
I wasn't able to get it to work. Let me still write it up so you can 
hopefully just copy and paste it into the documentation:

There are a couple of additional issues. I am running OpenSUSE 10.3 (64 
bit) but these issues probably are similar on most LSB- compliant 
distributions:

- You must edit the init scripts. In /etc/init.d/rcbacula-sd and 
/etc/init.d/rcbacula-dir, add the parameters -u bacula -g bacula to the 
call of startproc.

- Make sure the bacula user can execute the bacula binaries: chgrp 
bacula /usr/sbin/bacula-*

- double-check that the user bacula is a member of the group bacula, 
especially if you used Yast or useradd or a similar tool to create the user.

- One problem I haven't found a solution to is that the /var/run 
directory where the pid file goes is only writable by root.

There may be additional issues that I haven't found yet.


In the end, I think the better solution would be for bacula-sd and 
bacula-dir to take the user name as a parameter, start up as root, and 
then drop privileges after writing the pid file.

Suggestion for bacula 3.0: it would be even better if bacula-dir could 
run in a chroot jail. Not sure if it's possible to make bacula-sd run in 
a chroot jail as well.

-- 
Kevin Keane
Owner
The NetTech
Turn your NetWORRY into a NetWORK!

Office: 866-642-7116
http://www.4nettech.com

This e-mail and attachments, if any, may contain confidential and/or 
proprietary information. Please be advised that the unauthorized use or 
disclosure of the information is strictly prohibited. The information herein is 
intended only for use by the intended recipient(s) named above. If you have 
received this transmission in error, please notify the sender immediately and 
permanently delete the e-mail and any copies, printouts or attachments thereof.


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] progress of backup, Dan Langille
Next by Date:  Re: [Bacula-users] How to run bacula dir and sd as non-root?, Kevin Keane
Previous by Thread:  Re: [Bacula-users] How to run bacula dir and sd as non-root?, Dan Langille
Next by Thread:  Re: [Bacula-users] How to run bacula dir and sd as non-root?, Kevin Keane
Indexes:  [Date] [Thread] [Top] [All Lists]