[pkg-bacula-commits] [bacula] 01/01: Mitigate CVE 2017-14610 by having daemons drop privileges themselves (SysV-Init)

[Sven Hartge]

This is an automated email from the git hooks/post-receive script.

hartge-guest pushed a commit to branch CVE-2017-14610
in repository bacula.

commit 355dcec85a167fe49d1e32a3db6cf3748fca1938
Author: Sven Hartge <sven at svenhartge.de>
Date:   Mon Oct 16 18:59:59 2017 +0200

    Mitigate CVE 2017-14610 by having daemons drop privileges themselves (SysV-Init)
    
    This change effectively reverts the changes made in
    http://www.bacula.org/git/cgit.cgi/bacula/commit/?h=Branch-7.4&id=3924012940114148be0ef565e6d979597f9a27d1
    to fix being unable to get automatic backtraces on crash.
    
    Unfortunately with the current code base it is not possible to have
    both: automatic backtraces *and* secure PID files.
---
 debian/bacula-director.init | 2 +-
 debian/bacula-fd.init       | 2 +-
 debian/bacula-sd.init       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/debian/bacula-director.init b/debian/bacula-director.init
index e041973..4b95a08 100644
--- a/debian/bacula-director.init
+++ b/debian/bacula-director.init
@@ -67,7 +67,7 @@ do_start()
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init
index 6a26191..5c9579e 100644
--- a/debian/bacula-fd.init
+++ b/debian/bacula-fd.init
@@ -54,7 +54,7 @@ do_start()
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/bacula-sd.init b/debian/bacula-sd.init
index 73a8663..0824983 100644
--- a/debian/bacula-sd.init
+++ b/debian/bacula-sd.init
@@ -53,7 +53,7 @@ do_start()
 {
 	if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-bacula/bacula.git