Ryan Novosielski <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gregory Brauer wrote:
> >
> > At the end of our weekly cycle I would like to command our loader
> > to unload any tapes that are in the drive to make for easy tape
> > swapping. With versions of bacula prior to 1.38 the director
> > daemon was running as root, so ejecting the tape was a simple
> > matter of creating a job that ran an "mtx unload" as a RunBeforeJob
> > rule. Now that bacula-dir is running as the bacula user for
> > security, the bacula-dir no longer has permission to run mtx
> > commands directly. I was wondering if there is a way I can command
> > bacula-sd to eject the tapes on behalf of the director.
> >
> > Is there any way to do this?
> This is not entirely true. I'm not sure what package manager you are
> using and on what OS, but from source, if you don't specify anything,
> everything still runs as root.
>
> This leads me to ask -- what does one have to do, when installing from
> source, to change the way things are done? I know logically,
> considering the work of the -fd, that it must run with SOME sort of
> elevated access (perhaps Solaris 10 will help me here), but how can I
> improve the security on the other daemons? This is the kind of
> question I'm talking about:
>
> A) Does bacula need to run as root to access the tape drive if the
> permissions on the device are OK?
> B) Does anything bacula-dir does require it to run as root, or can I
> safely change this one right away?
>
> ...anything I'm not thinking of here?
The sd needs rights to access any tape drives. You can (potentially)
adjust the perms on the tape device and run the sd as some other user.
The fd needs to be able to read all the files it plans to back up.
This usually means running as root, but if you _know_ of a user that
will _always_ have read rights to the files, you can potentially change
it.
The dir doesn't need much at all ...
The FreeBSD port installs such that the fd and sd run as root, and the
dir runs as user "bacula". I've yet to have any permission problems
(except when I give the config files the wrong ownership, but that's
operator error ...)
--
Bill Moran
Be calm.
Morpheus
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
