Hi there! Re-adding the BTS: Alexander, most of the time it is worth keeping the BTS in the loop, given that it a way to document decisions.
On Mon, 30 Jul 2012 20:36:26 +0200, Alexander Golovko wrote: > On Mon, 30 Jul 2012 14:31:15 +0100, Bart Swedrowski wrote: >> On 28 July 2012 15:03, Elrond <elrond+bugs.debian....@samba-tng.org> >> wrote: >>> Could you allow the "-k" option to bacula-fd? >>> >>> Starting with -k gives the following error: >>> >>> "Keep readall caps not implemented this OS or missing libraries." >>> >>> My current guess: bacula-fd is not linked to the libcap >>> library. After a quick look at bacula's configure.in and >>> src/lib/priv.c this seems to really be the case. >>> >>> So probably just having libcap-dev installed while >>> building bacula should solve this. >> >> By default, Debian installation of bacula-fd runs it as root user so >> having that option is pointless in current state of things. However, >> the benefits of it are quite obvious and can potentially be useful >> for >> quite a wide range of users in my opinion. >> >> Upstream documentation about the "-k" option - >> >> http://www.bacula.org/en/dev-manual/main/main/New_Features_in_5_0_0.html#SECTION001080000000000000000 Copying here for future references: Read-only File Daemon using capabilities This feature implements support of keeping ReadAll capabilities after UID/GID switch, this allows FD to keep root read but drop write permission. It introduces new bacula-fd option (-k) specifying that ReadAll capabilities should be kept after UID/GID switch. root@localhost:~# bacula-fd -k -u nobody -g nobody The code for this feature was contributed by our friends at AltLinux. >> I wouldn't mind adding this option however still stick to running >> bacula-fd as a root user by default; if someone wants to make use of >> "-k" option functionality they'll be able to do so via utilising >> /etc/default/bacula-fd overrides. >> >> Luca, Alexandro - what's your view on this, guys? > > I'm sure, that this is usefull feature and we can build bacula-fd with > it I would go even further: if I read it correctly, this should improves security, so I was wondering if it would be better to have it by default... Thx, bye, Gismo / Luca
pgp4192IRQjly.pgp
Description: PGP signature