On Friday 07 July 2006 22:04, Martin Simmons wrote: > >>>>> On Fri, 7 Jul 2006 11:41:22 +0200, Kern Sibbald said: > > > > As you know, users running Bacula under restricted privileges (i.e. > > user=bacula, group=bacula or disk) have had a number of problems > > accessing the necessary files. After looking at the source code and > > several patches that were submitted by Dimitri Puzin, it appears that the > > documentation of setgroups() is really quite deficient, which means that > > the current code does not properly initialize all the groups associated > > with the userid. > > > > I've now reworked the original code in a way that I think it should now > > work correctly -- correctly setup all the groups associated with the > > userid specified, and add any additional group that may be specified. > > > > Note: to change the group (-g xxx), you *must* specify the user (i.e. -u > > yyy). Another way of saying this is that a -g option without the -u > > option will be ignored (I suppose I should make it ABORT). This should > > cause no problem because normally one uses a command line something like > > > > bacula-sd -c ... -u bacula -g disk > > > > Since the code now initializes all the groups associated with the user > > specified, the "-g disk" should no longer be necessary providing that the > > user "bacula" is configured to be in the "disk" group. > > > > I would appreciate it if one or more of you could try the patch that I > > have attached to this email (instructions at the top of the patch) and > > let me know if it corrects the problems. > > I think it won't work in the order you've written it. All calls to > initgroups() must occur before setuid(), because otherwise it won't have > permission (unless uid is root).
Perhaps you are right, but then I would consider it an OS bug since any user should have the permission to put himself into all the groups to which he belongs. As I mentioned above, in researching this, I looked carefully at the patch that Dimitri Puzin submitted, and he does it in the same order as I have (or probably more correctly stated, I did it in the same order that he did). > > Also, maybe the call to initgroups() should be inside #if HAVE_GRP_H? Yes, this is a good idea. I have put the whole thing in one big #ifdef. > > __Martin Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
