[pkg-bacula-commits] [bacula] 01/01: parse ENABLE_NONROOT in init-script to activate non-root feature

Mon Jul 18 10:59:05 UTC 2016

This is an automated email from the git hooks/post-receive script.

hartge-guest pushed a commit to branch systemd-fixuser
in repository bacula.

commit f5f930f4f6e2996b5ae85f140343ae0f24cbc6ca
Author: Sven Hartge <sven at svenhartge.de>
Date:   Mon Jul 18 12:57:59 2016 +0200

    parse ENABLE_NONROOT in init-script to activate non-root feature
    
    Currently the default is set to false if ENABLE_NONROOT is missing
    from /etc/default/bacula-fd. The future default needs to be discussed.
---
 debian/TODO           |  7 +++++++
 debian/bacula-fd.init | 12 ++++++++++--
 debian/changelog      |  2 ++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/debian/TODO b/debian/TODO
index 696343b..9fd685b 100644
--- a/debian/TODO
+++ b/debian/TODO
@@ -20,6 +20,13 @@ Wishlist:
    http://www.bacula.org/7.4.x-manuals/en/main/New_Features_in_5_2_13.html#SECTION00658000000000000000
    https://lists.alioth.debian.org/pipermail/pkg-bacula-devel/2016-July/001536.html
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699149
+   Done:
+        - setcap cap_dac_read_search+ep for /usr/sbin/bacula-fd via postinst
+        - parsing variable ENABLE_NONROOT in bacula-fd init-script
+   Missing:
+        - decide if non-root should be default on Linux or not
+        - adding ENABLE_NONROOT=true/false to /etc/default/bacula-fd
+        - document way to do the systemd drop-in configuration to enable/disable non-root
 
 Old:
 
diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init
index 5ce0e19..32e0acd 100644
--- a/debian/bacula-fd.init
+++ b/debian/bacula-fd.init
@@ -31,6 +31,7 @@ PORT=9102
 DESC="Bacula File daemon"
 BUSER="root"
 BGROUP="root"
+KEEPCAPS=""
 
 test -x $DAEMON || exit 0
 
@@ -44,16 +45,23 @@ if [ -r /etc/default/$NAME ]; then
 	. /etc/default/$NAME
 fi
 
+ENABLE_NONROOT="${ENABLE_NONROOT:-false}"
+
+if [ "$ENABLE_NONROOT" = "true" ]; then 
+	BUSER="bacula"
+	BGROUP="bacula"
+	KEEPCAPS="-k"
+fi
+
 CONFIG="${CONFIG:-/etc/bacula/$NAME.conf}"
 
 create_var_run_dir
 
-
 PIDFILE=/var/run/bacula/$NAME.$PORT.pid
 
 do_start()
 {
-	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
+	if $DAEMON -u $BUSER -g $BGROUP $KEEPCAPS -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
 		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG 
 		return 0
diff --git a/debian/changelog b/debian/changelog
index 65ffc77..ae9726c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,8 @@ bacula (7.4.2+dfsg-4) UNRELEASED; urgency=medium
     and storage daemon
   * add capability cap_dac_read_search to bacula-fd, making it possible
     to run as non-root in the future.
+  * change bacula-fd init-script to make running as non-root configurable
+    by the admin via /etc/default/bacula-fd
 
  -- Sven Hartge <sven at svenhartge.de>  Tue, 14 Jul 2016 11:36:12 +0200
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-bacula/bacula.git

