[pkg-bacula-commits] [bacula] 01/01: Add cap_dac_read_search to bacula-fd

Sven Hartge hartge-guest at moszumanska.debian.org
Mon Jul 18 10:39:06 UTC 2016 

This is an automated email from the git hooks/post-receive script.

hartge-guest pushed a commit to branch systemd-fixuser
in repository bacula.

commit 3d6c7ec68610885e467c04b0db1d7ee38a7bda47
Author: Sven Hartge <sven at svenhartge.de>
Date:   Mon Jul 18 12:37:35 2016 +0200

    Add cap_dac_read_search to bacula-fd
    
    This allows bacula-fd to run as non-root in the future.
    Configuration options to assist the administrator may be added
    to the package in the future.
---
 debian/bacula-fd.postinst | 11 +++++++++++
 debian/changelog          |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/debian/bacula-fd.postinst b/debian/bacula-fd.postinst
index d2fee5f..57d9571 100644
--- a/debian/bacula-fd.postinst
+++ b/debian/bacula-fd.postinst
@@ -50,6 +50,17 @@ case "$1" in
 	# Harden permissions, so that passwords can not be looked at
 	chown root:root $TARGET
 	chmod 640 $TARGET
+
+	# If we have setcap is installed, try setting cap_dac_read_search+ep,
+	# which allows running bacula-fd as non-root.
+	if command -v setcap > /dev/null; then
+	    if ! setcap cap_dac_read_search+ep /usr/sbin/bacula-fd; then
+	        echo "Setcap failed on /usr/sbin/bacula-fd, running bacula-fd as non-root not possible" >&2
+	    fi
+	else
+	    echo "Setcap is not installed, running bacula-fd as non-root not possible" >&2
+	fi  
+
     ;; 
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/changelog b/debian/changelog
index 7dfdcd0..65ffc77 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ bacula (7.4.2+dfsg-4) UNRELEASED; urgency=medium
   * readd lost tmpfiles.d/bacula.conf to create /var/run/bacula
   * remove configuration option to change runtime user for director
     and storage daemon
+  * add capability cap_dac_read_search to bacula-fd, making it possible
+    to run as non-root in the future.
 
  -- Sven Hartge <sven at svenhartge.de>  Tue, 14 Jul 2016 11:36:12 +0200
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-bacula/bacula.git

More information about the pkg-bacula-commits mailing list