John Drescher wrote: > On Tue, Nov 18, 2008 at 12:03 PM, Kevin Keane <[EMAIL PROTECTED]> wrote: > >> In the documentation, I saw the tip to run the director and the SD as a >> non-root user ( >> http://www.bacula.org/en/rel-manual/Bacula_Security_Issues.html#SECTION004630000000000000000 >> ) I like that idea very much. >> >> But I can't quite figure out how to actually do it, because I can't >> figure out how to tell bacula-dir and bacula-sd to become user "bacula" >> instead of continuing to run as root. What am I missing? >> >> > > You need to edit your startup scripts. This tends to be distribution > specific so you might want to ask your distro. Or at minimum tell us > what distro you are using. > > John > OK, I think there actually is a lot more to it than that, and in the end I wasn't able to get it to work. Let me still write it up so you can hopefully just copy and paste it into the documentation:
There are a couple of additional issues. I am running OpenSUSE 10.3 (64 bit) but these issues probably are similar on most LSB- compliant distributions: - You must edit the init scripts. In /etc/init.d/rcbacula-sd and /etc/init.d/rcbacula-dir, add the parameters -u bacula -g bacula to the call of startproc. - Make sure the bacula user can execute the bacula binaries: chgrp bacula /usr/sbin/bacula-* - double-check that the user bacula is a member of the group bacula, especially if you used Yast or useradd or a similar tool to create the user. - One problem I haven't found a solution to is that the /var/run directory where the pid file goes is only writable by root. There may be additional issues that I haven't found yet. In the end, I think the better solution would be for bacula-sd and bacula-dir to take the user name as a parameter, start up as root, and then drop privileges after writing the pid file. Suggestion for bacula 3.0: it would be even better if bacula-dir could run in a chroot jail. Not sure if it's possible to make bacula-sd run in a chroot jail as well. -- Kevin Keane Owner The NetTech Turn your NetWORRY into a NetWORK! Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
