Kevin Keane wrote:
> John Drescher wrote:
>
>> On Tue, Nov 18, 2008 at 12:03 PM, Kevin Keane <subscription AT kkeane DOT
>> com> wrote:
>>
>>
>>> In the documentation, I saw the tip to run the director and the SD as a
>>> non-root user (
>>> http://www.bacula.org/en/rel-manual/Bacula_Security_Issues.html#SECTION004630000000000000000
>>> ) I like that idea very much.
>>>
>>> But I can't quite figure out how to actually do it, because I can't
>>> figure out how to tell bacula-dir and bacula-sd to become user "bacula"
>>> instead of continuing to run as root. What am I missing?
>>>
>>>
>>>
>> You need to edit your startup scripts. This tends to be distribution
>> specific so you might want to ask your distro. Or at minimum tell us
>> what distro you are using.
>>
>> John
>>
>>
> OK, I think there actually is a lot more to it than that, and in the end
> I wasn't able to get it to work. Let me still write it up so you can
> hopefully just copy and paste it into the documentation:
>
> There are a couple of additional issues. I am running OpenSUSE 10.3 (64
> bit) but these issues probably are similar on most LSB- compliant
> distributions:
>
> - You must edit the init scripts. In /etc/init.d/rcbacula-sd and
> /etc/init.d/rcbacula-dir, add the parameters -u bacula -g bacula to the
> call of startproc.
>
> - Make sure the bacula user can execute the bacula binaries: chgrp
> bacula /usr/sbin/bacula-*
>
> - double-check that the user bacula is a member of the group bacula,
> especially if you used Yast or useradd or a similar tool to create the user.
>
> - One problem I haven't found a solution to is that the /var/run
> directory where the pid file goes is only writable by root.
>
> There may be additional issues that I haven't found yet.
>
>
> In the end, I think the better solution would be for bacula-sd and
> bacula-dir to take the user name as a parameter, start up as root, and
> then drop privileges after writing the pid file.
>
Never mind... I see that bacula already has that feature. So the correct
instructions should be - and I was able to make it work now:
There are a couple of additional issues. I am running OpenSUSE 10.3 (64
bit) but these issues probably are similar on most LSB- compliant
distributions:
- You must edit the init scripts. In /etc/init.d/rcbacula-sd and
/etc/init.d/rcbacula-dir, add the parameters -u bacula -g bacula to bacula-sd
or bacula-dir, respectively. Exactly how to do that may vary for other
distributions.
For instance, in OpenSUSE's /etc/init.d/bacula-dir file, add -u bacula -g
bacula to the end of the following line:
startproc -q $BACULA_FD_BIN -c /etc/bacula/bacula-dir.conf -u bacula -g
bacula
Make the same corresponding change to /etc/init.d/bacula-sd
- double-check that the user bacula is a member of the group bacula,
especially if you used Yast or useradd or a similar tool to create the user.
Thanks for all your help!
--
Kevin Keane
Owner
The NetTech
Turn your NetWORRY into a NetWORK!
Office: 866-642-7116
http://www.4nettech.com
This e-mail and attachments, if any, may contain confidential and/or
proprietary information. Please be advised that the unauthorized use or
disclosure of the information is strictly prohibited. The information herein is
intended only for use by the intended recipient(s) named above. If you have
received this transmission in error, please notify the sender immediately and
permanently delete the e-mail and any copies, printouts or attachments thereof.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
