[pkg-bacula-commits] [bacula] 01/01: Change owner of /etc/bacula/bacula-sd.conf

Sven Hartge hartge-guest at moszumanska.debian.org
Tue Sep 20 18:57:00 UTC 2016 

This is an automated email from the git hooks/post-receive script.

hartge-guest pushed a commit to branch hardcode-users
in repository bacula.

commit bd85d1fdf8d7053305af4500151d16029c504862
Author: Sven Hartge <sven at svenhartge.de>
Date:   Tue Sep 20 20:53:04 2016 +0200

    Change owner of /etc/bacula/bacula-sd.conf
    
    bacula-sd is no longer starting as root but already chuid()ed by
    start-stop-daemon or systemd to bacula:tape. If the configuration has
    the old permissions
    
    -rw-r-----   1 root bacula bacula-sd.conf
    
    it will not be able to read the file. Changing the owner to
    bacula:bacula fixes this problem.
    
    Changing the group to "tape" to match the run-tim group of bacula-sd
    will allow any user in that group to read the credentials for bacula-sd
    which may be a security flaw and should be avoided.
---
 debian/bacula-sd.postinst | 4 +++-
 debian/changelog          | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/debian/bacula-sd.postinst b/debian/bacula-sd.postinst
index db47d65..c615dd6 100644
--- a/debian/bacula-sd.postinst
+++ b/debian/bacula-sd.postinst
@@ -14,11 +14,13 @@ setup_etc_default bacula-sd $@
 case "$1" in
     configure)
 	if [ ! -f $TARGET ]; then
-	    install -m 640 -o root -g bacula $SRCDIR/$CONFIG $TARGET
+	    install -m 640 -o bacula -g bacula $SRCDIR/$CONFIG $TARGET
 	    sed -e s~@debian_hostname@~`hostname`~ \
 		-e s~XXX_SDPASSWORD_XXX~$SDPASSWD~ \
 		-e s~XXX_MONSDPASSWORD_XXX~$SDMPASSWD~ \
 		-i $TARGET
+	else
+	    chown bacula:bacula $TARGET
 	fi
     ;;
 esac
diff --git a/debian/changelog b/debian/changelog
index 9c44942..9a586b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,9 @@ bacula (7.4.3+dfsg-8) unstable; urgency=medium
     generation which does not work if the daemon changes its
     uid/git itself. (See Issue#1905 in Bacula-BTS and commit 
     39240129 and f085b9e9 in upstream git.)
+  * Change owner of /etc/bacula/bacula-sd.conf to bacula:bacula
+    bacula-sd needs to read it even if it is already running
+    as non-root user bacula.
 
  -- Sven Hartge <sven at senhartge.de>  Tue, 20 Sep 2016 20:18:32 +0200
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-bacula/bacula.git

More information about the pkg-bacula-commits mailing list