[pkg-bacula-commits] [bacula] 02/02: Change non-root mode to default again

Sven Hartge hartge-guest at moszumanska.debian.org
Tue Aug 30 08:57:30 UTC 2016 

This is an automated email from the git hooks/post-receive script.

hartge-guest pushed a commit to branch systemd-fixuser
in repository bacula.

commit 7bb82b1a88fd086ffad8a2b39ce525264bd0acb3
Author: Sven Hartge <sven at svenhartge.de>
Date:   Tue Aug 30 10:56:40 2016 +0200

    Change non-root mode to default again
    
    Make running as non-root optional again, document restoring with a non-root
    running bacula-fd.
---
 debian/README.Debian  | 16 +++++++++++-----
 debian/bacula-fd.init |  2 +-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/debian/README.Debian b/debian/README.Debian
index f9d1a1e..c8d2494 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -89,20 +89,20 @@ installing a different bacula-director-DBTYPE package. This will pull
 in the needed dependencies for the new database backend and remove the
 ones from the old one.
 
-DISABLING NON-ROOT MODE FOR BACULA-FD
+ENABLING NON-ROOT MODE FOR BACULA-FD
 =====================================
 
 On Linux systems with capabilities bacula-fd runs as a non-root user
 with read-only privileges to all files. This reduces the attack
 surface the daemon provides.
 
-You can disable this security feature the following ways, depending on
+You can enable this security feature the following ways, depending on
 your system setup:
 
 a) for SysV-init based systems:
 
    Edit /etc/default/bacula-fd and add
-   ENABLE_NONROOT=false
+   ENABLE_NONROOT=true
 
 b) for systemd based systems:
 
@@ -110,8 +110,14 @@ b) for systemd based systems:
    into the override configuration:
 
    [Service]
-   User=root
-   Group=root
+   User=bacula
+   Group=bacula
+
+Warning: if you run bacula-fd as non-root, you will not be able to
+restore file directly to the original positions, restored files
+will have to go to a path writable by the user bacula-fd runs as,
+for example /tmp/bacula-restores. Restored files will also have the
+wrong user and possibly missing ACLs.
 
 
 CONSOLE
diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init
index 553255f..c624804 100644
--- a/debian/bacula-fd.init
+++ b/debian/bacula-fd.init
@@ -42,7 +42,7 @@ if [ -r /etc/default/$NAME ]; then
 	. /etc/default/$NAME
 fi
 
-ENABLE_NONROOT="${ENABLE_NONROOT:-true}"
+ENABLE_NONROOT="${ENABLE_NONROOT:-false}"
 
 if [ -x /sbin/getcap ]; then
 	GETCAPS=`/sbin/getcap $DAEMON`

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-bacula/bacula.git

More information about the pkg-bacula-commits mailing list