В Fri, 03 Aug 2012 16:12:58 +0200 Luca Capello <l...@pca.it> пишет:
> Hi there! > > Re-adding the BTS: Alexander, most of the time it is worth keeping the > BTS in the loop, given that it a way to document decisions. > > On Mon, 30 Jul 2012 20:36:26 +0200, Alexander Golovko wrote: > > On Mon, 30 Jul 2012 14:31:15 +0100, Bart Swedrowski wrote: > >> On 28 July 2012 15:03, Elrond > >> <elrond+bugs.debian....@samba-tng.org> wrote: > >>> Could you allow the "-k" option to bacula-fd? > >>> > >>> Starting with -k gives the following error: > >>> > >>> "Keep readall caps not implemented this OS or missing > >>> libraries." > >>> > >>> My current guess: bacula-fd is not linked to the libcap > >>> library. After a quick look at bacula's configure.in and > >>> src/lib/priv.c this seems to really be the case. > >>> > >>> So probably just having libcap-dev installed while > >>> building bacula should solve this. > >> > >> By default, Debian installation of bacula-fd runs it as root user > >> so having that option is pointless in current state of things. > >> However, the benefits of it are quite obvious and can potentially > >> be useful for > >> quite a wide range of users in my opinion. > >> > >> Upstream documentation about the "-k" option - > >> > >> http://www.bacula.org/en/dev-manual/main/main/New_Features_in_5_0_0.html#SECTION001080000000000000000 > > Copying here for future references: > > Read-only File Daemon using capabilities > > This feature implements support of keeping ReadAll capabilities > after UID/GID switch, this allows FD to keep root read but drop write > permission. > > It introduces new bacula-fd option (-k) specifying that ReadAll > capabilities should be kept after UID/GID switch. > > root@localhost:~# bacula-fd -k -u nobody -g nobody > > The code for this feature was contributed by our friends at > AltLinux. > > >> I wouldn't mind adding this option however still stick to running > >> bacula-fd as a root user by default; if someone wants to make use > >> of "-k" option functionality they'll be able to do so via utilising > >> /etc/default/bacula-fd overrides. > >> > >> Luca, Alexandro - what's your view on this, guys? > > > > I'm sure, that this is usefull feature and we can build bacula-fd > > with it > > I would go even further: if I read it correctly, this should improves > security, so I was wondering if it would be better to have it by > default... Yes, but enabling this feature cause all bacula binaries and libraries link with libcap2. So, i need some more investigation for add capabilities support > > Thx, bye, > Gismo / Luca
signature.asc
Description: PGP signature