[pkg-bacula-commits] [bacula] 02/03: Mitigate CVE 2017-14610 by having daemons drop privileges themselves

Carsten Leonhardt leo at moszumanska.debian.org
Thu Oct 26 20:28:37 UTC 2017 

This is an automated email from the git hooks/post-receive script.

leo pushed a commit to branch master
in repository bacula.

commit 850816735bb47c03950fc851e804c7239f1d6ff8
Author: Sven Hartge <sven at svenhartge.de>
Date:   Mon Oct 16 18:54:54 2017 +0200

    Mitigate CVE 2017-14610 by having daemons drop privileges themselves
    
    This change effectively reverts the changes made to fix
    http://bugs.bacula.org/view.php?id=1905 "unable to get backtrace on
    crash when bacula service started by systemd".
    
    Unfortunately with the current code base it is not possible to have
    both: automatic backtraces *and* secure PID files.
---
 debian/patches/non-forking-systemd-units.patch | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch
index 5564266..a43fc0e 100644
--- a/debian/patches/non-forking-systemd-units.patch
+++ b/debian/patches/non-forking-systemd-units.patch
@@ -38,13 +38,13 @@ Author: Sven Hartge <sven at svenhartge.de>
 -PIDFile=@piddir@/bacula-dir. at dir_port@.pid
 -ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf
 +Type=simple
-+User=bacula
-+Group=bacula
++User=root
++Group=root
 +Environment="CONFIG=/etc/bacula/bacula-dir.conf"
 +EnvironmentFile=-/etc/default/bacula-dir
-+ExecStartPre=@sbindir@/bacula-dir -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-dir -f -c $CONFIG
-+ExecReload=@sbindir@/bacula-dir -t -c $CONFIG
++ExecStartPre=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
++ExecStart=@sbindir@/bacula-dir -f -u bacula -g bacula -c $CONFIG
++ExecReload=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
  ExecReload=/bin/kill -HUP $MAINPID
 +SuccessExitStatus=15
  StandardError=syslog
@@ -91,12 +91,12 @@ Author: Sven Hartge <sven at svenhartge.de>
 -ExecStart=@sbindir@/bacula-sd -c @sysconfdir@/bacula-sd.conf
 -PIDFile=@piddir@/bacula-sd. at sd_port@.pid
 +Type=simple
-+User=bacula
-+Group=tape
++User=root
++Group=root
 +Environment="CONFIG=/etc/bacula/bacula-sd.conf"
 +EnvironmentFile=-/etc/default/bacula-sd
-+ExecStartPre=@sbindir@/bacula-sd -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-sd -f -c $CONFIG
++ExecStartPre=@sbindir@/bacula-sd -t -u bacula -g tape -c $CONFIG
++ExecStart=@sbindir@/bacula-sd -f -u bacula -g tape -c $CONFIG
 +ExecReload=/bin/kill -HUP $MAINPID
 +SuccessExitStatus=15
  StandardError=syslog

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-bacula/bacula.git

More information about the pkg-bacula-commits mailing list