On Wednesday 04 April 2007 23:08, Alan Brown wrote: > On Wed, 4 Apr 2007, Ryan Novosielski wrote: > > > If something won't start as a non-root user, you need to find out why. > > All that bacula-dir needs is to own the files that it needs to write > > to/have appropriate permissions to read the files it needs to read. > > Correct > > > This goes the same for the -sd, except you must include the /dev/nst, > > /dev/rmt, or whatever your system feels like calling the tape drive. > > Correct, as long as the user and/or group permissions of the tape drive > are ok for that user (It's a common trap...) > > The problem on (at least) linux systems is when bacula-sd attempts to > adjust any tape drive settings such as buffering or compression. > > I am getting a constact stream of "Only root can do that" errors in my > logs because of this. Solving this would be nice, but is not a high > priority.
Move up to the current 2.0.3 where those error messages are eliminated by simply not trying to execute the code if Bacula is not running as root. This means that you must have your drive (from the OS perspective) correctly configured. I'm currently discussing with the SCSI guy how we can make that ioctl accessible to a non-root program (actually it is really CAP_SYS_ADMIN capability rather than being root). > > > The - -fd arguable needs to run as root, but only if it is backing up > > files that a regular user cannot read. > > (Which is pretty much everything, unless it's working in tightly defined > directory trees.) > > Ryan is correct that running things as root is a security hazard. Time and > again when I see this happening it's because the coder or admin comes from > a windows background where things _have_ to be root to work, thanks to the > flawed security models in that environment. Well, it is actually a result of flawed programs in the Windows environement -- Windows actually has a lot finer control over access permissions that I have seen in the "normal" (i.e. without SELinux or AppArmor) Unix/Linux world. It is just that programmers don't use them properly. > > > It'd be nice to be able to lock things down even more tightly. I've even > been tempted to setup chroot environments for bacula-fd and -dir I assume you mean bacula-sd and bacula-dir. If you really mean bacula-fd, please tell me how you can accomplish that. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
