[pkg-bacula-commits] [bacula] 01/01: Mitigate CVE 2017-14610 by having daemons drop privileges themselves

Sven Hartge hartge-guest at moszumanska.debian.org
Mon Oct 16 16:57:18 UTC 2017 

This is an automated email from the git hooks/post-receive script.

hartge-guest pushed a commit to branch CVE-2017-14610
in repository bacula.

commit 2d8170aeb9a5c20e5417f0571d6f91d1c537b6d7
Author: Sven Hartge <sven at svenhartge.de>
Date:   Mon Oct 16 18:54:54 2017 +0200

    Mitigate CVE 2017-14610 by having daemons drop privileges themselves
    
    This change effectively reverts the changes made to fix
    http://bugs.bacula.org/view.php?id=1905 "unable to get backtrace on
    crash when bacula service started by systemd".
    
    Unfortunately with the current code base it is not possible to have
    both: automatic backtraces *and* secure PID files.
---
 debian/patches/non-forking-systemd-units.patch | 40 +++++++++++---------------
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch
index f3fc89d..e4cbc6a 100644
--- a/debian/patches/non-forking-systemd-units.patch
+++ b/debian/patches/non-forking-systemd-units.patch
@@ -1,10 +1,8 @@
 Description: Change systemd.units to non-forking simple mode
 Author: Sven Hartge <sven at svenhartge.de>
 
-Index: bacula/platforms/systemd/bacula-dir.service.in
-===================================================================
---- bacula.orig/platforms/systemd/bacula-dir.service.in
-+++ bacula/platforms/systemd/bacula-dir.service.in
+--- a/platforms/systemd/bacula-dir.service.in
++++ b/platforms/systemd/bacula-dir.service.in
 @@ -17,18 +17,21 @@
  [Unit]
  Description=Bacula Director Daemon service
@@ -22,23 +20,21 @@ Index: bacula/platforms/systemd/bacula-dir.service.in
 -PIDFile=@piddir@/bacula-dir. at dir_port@.pid
 -ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf
 +Type=simple
-+User=bacula
-+Group=bacula
++User=root
++Group=root
 +Environment="CONFIG=/etc/bacula/bacula-dir.conf"
 +EnvironmentFile=-/etc/default/bacula-dir
-+ExecStartPre=@sbindir@/bacula-dir -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-dir -f -c $CONFIG
-+ExecReload=@sbindir@/bacula-dir -t -c $CONFIG
++ExecStartPre=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
++ExecStart=@sbindir@/bacula-dir -f -u bacula -g bacula -c $CONFIG
++ExecReload=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
  ExecReload=/bin/kill -HUP $MAINPID
 +SuccessExitStatus=15
  StandardError=syslog
  
  [Install]
-Index: bacula/platforms/systemd/bacula-fd.service.in
-===================================================================
---- bacula.orig/platforms/systemd/bacula-fd.service.in
-+++ bacula/platforms/systemd/bacula-fd.service.in
-@@ -22,11 +22,15 @@ RequiresMountsFor=@working_dir@ @sysconf
+--- a/platforms/systemd/bacula-fd.service.in
++++ b/platforms/systemd/bacula-fd.service.in
+@@ -22,11 +22,15 @@
  
  # from http://www.freedesktop.org/software/systemd/man/systemd.service.html
  [Service]
@@ -59,11 +55,9 @@ Index: bacula/platforms/systemd/bacula-fd.service.in
  StandardError=syslog
  
  [Install]
-Index: bacula/platforms/systemd/bacula-sd.service.in
-===================================================================
---- bacula.orig/platforms/systemd/bacula-sd.service.in
-+++ bacula/platforms/systemd/bacula-sd.service.in
-@@ -21,11 +21,15 @@ RequiresMountsFor=@working_dir@ @sysconf
+--- a/platforms/systemd/bacula-sd.service.in
++++ b/platforms/systemd/bacula-sd.service.in
+@@ -21,11 +21,15 @@
  
  # from http://www.freedesktop.org/software/systemd/man/systemd.service.html
  [Service]
@@ -73,12 +67,12 @@ Index: bacula/platforms/systemd/bacula-sd.service.in
 -ExecStart=@sbindir@/bacula-sd -c @sysconfdir@/bacula-sd.conf
 -PIDFile=@piddir@/bacula-sd. at sd_port@.pid
 +Type=simple
-+User=bacula
-+Group=tape
++User=root
++Group=root
 +Environment="CONFIG=/etc/bacula/bacula-sd.conf"
 +EnvironmentFile=-/etc/default/bacula-sd
-+ExecStartPre=@sbindir@/bacula-sd -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-sd -f -c $CONFIG
++ExecStartPre=@sbindir@/bacula-sd -t -u bacula -g tape -c $CONFIG
++ExecStart=@sbindir@/bacula-sd -f -u bacula -g tape -c $CONFIG
 +ExecReload=/bin/kill -HUP $MAINPID
 +SuccessExitStatus=15
  StandardError=syslog

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-bacula/bacula.git

More information about the pkg-bacula-commits mailing list