Hello,
As you know, users running Bacula under restricted privileges (i.e.
user=bacula, group=bacula or disk) have had a number of problems accessing
the necessary files. After looking at the source code and several patches
that were submitted by Dimitri Puzin, it appears that the documentation of
setgroups() is really quite deficient, which means that the current code does
not properly initialize all the groups associated with the userid.
I've now reworked the original code in a way that I think it should now work
correctly -- correctly setup all the groups associated with the userid
specified, and add any additional group that may be specified.
Note: to change the group (-g xxx), you *must* specify the user (i.e. -u
yyy). Another way of saying this is that a -g option without the -u option
will be ignored (I suppose I should make it ABORT). This should cause no
problem because normally one uses a command line something like
bacula-sd -c ... -u bacula -g disk
Since the code now initializes all the groups associated with the user
specified, the "-g disk" should no longer be necessary providing that the
user "bacula" is configured to be in the "disk" group.
I would appreciate it if one or more of you could try the patch that I have
attached to this email (instructions at the top of the patch) and let me know
if it corrects the problems.
Best regards,
Kern
This patch will hopefully solve the problem of the group not
being correctly initialized when a Bacula daemon does a to
a new userid or a new groupid.
It can be applied to most all versions of 1.38.x but in particular
1.38.11 with the following:
cd <bacula-source>
patch -p0 <1.38.11-drop.patch
make
make install
...
Index: src/lib/bsys.c
===================================================================
RCS file: /cvsroot/bacula/bacula/src/lib/bsys.c,v
retrieving revision 1.42.2.4
diff -u -u -b -r1.42.2.4 bsys.c
--- src/lib/bsys.c 22 Dec 2005 21:35:24 -0000 1.42.2.4
+++ src/lib/bsys.c 7 Jul 2006 08:54:45 -0000
@@ -8,7 +8,7 @@
* Version $Id: bsys.c,v 1.42.2.4 2005/12/22 21:35:24 kerns Exp $
*/
/*
- Copyright (C) 2000-2005 Kern Sibbald
+ Copyright (C) 2000-2006 Kern Sibbald
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
@@ -602,10 +602,25 @@
*/
void drop(char *uid, char *gid)
{
-#ifdef HAVE_GRP_H
- if (gid) {
+#if defined(HAVE_PWD_H)
+ struct passwd *passw;
+ if (uid) {
+ if ((passw = getpwnam(uid)) == NULL) {
+ Emsg1(M_ERROR_TERM, 0, _("Could not find specified userid: %s\n"), uid);
+ }
+ if (setuid(passw->pw_uid)) {
+ Emsg1(M_ERROR_TERM, 0, _("Could not set specified userid: %s\n"), uid);
+ }
+ if (initgroups(passw->pw_name, passw->pw_gid)) {
+ Emsg2(M_ERROR_TERM, 0, _("Could set group=%s for userid=%s\n"),
+ passw->pw_gid, uid);
+ }
+ }
+#endif
+
+#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+ if (uid && gid) {
struct group *group;
- gid_t gr_list[1];
if ((group = getgrnam(gid)) == NULL) {
Emsg1(M_ERROR_TERM, 0, _("Could not find specified group: %s\n"), gid);
@@ -613,25 +628,12 @@
if (setgid(group->gr_gid)) {
Emsg1(M_ERROR_TERM, 0, _("Could not set specified group: %s\n"), gid);
}
- gr_list[0] = group->gr_gid;
- if (setgroups(1, gr_list)) {
- Emsg1(M_ERROR_TERM, 0, _("Could not set specified group: %s\n"), gid);
+ if (initgroups(passw->pw_name, group->gr_gid)) {
+ Emsg2(M_ERROR_TERM, 0, _("Could set group=%s for userid=%s\n"),
+ group->gr_gid, uid);
}
}
#endif
-
-#ifdef HAVE_PWD_H
- if (uid) {
- struct passwd *passw;
- if ((passw = getpwnam(uid)) == NULL) {
- Emsg1(M_ERROR_TERM, 0, _("Could not find specified userid: %s\n"), uid);
- }
- if (setuid(passw->pw_uid)) {
- Emsg1(M_ERROR_TERM, 0, _("Could not set specified userid: %s\n"), uid);
- }
- }
-#endif
-
}
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
