В Wed, 30 Jan 2013 11:19:13 +0200 Teodor MICU <mteo...@gmail.com> пишет:
> 2013/1/29 Alexander Golovko <alexan...@ankalagon.ru>:
> >> ARGS="-u bacula -g bacula -k"
> >>
> >> I think that from a security perspective this should be the default
> >> on package installation.
> >
> > This will lead to impossibility to restore backups without
> > restarting bacula-fd. This is also can require changing user scripts
> > for dump databases and such. This can confuse peoples.
>
> I'm having this setup and I can restore backups just fine. Of course,
> the restore directory must be rwx by bacula or mode 1777.
You lose files owner/group and acl on restoring.
>
> About the other thing (ie. dump databases), I can't tell.
>
> > I think, we should not change defaults, however, this functionality
> > described in README.Debian.gz (USERS & SECURITY).
>
> But you do for bacula-dir and bacula-sd, why not for bacula-fd?
>
> > bacula-fd init script correctly work without /e/d/bacula-fd.
>
> Right. I thought that it depends on setting ENABLED="yes" but I see
> now that it checks for "no".
>
> > But there is a reason for set defaults in init scripts for
> > bacula-director and bacula-sd and comment defaults in /e/d/bacula-*
>
> Can you detail a little? I don't understand what you're trying to say.
/e/d/bacula-{dir,sd} has nonempty ARGS and bacula-{director,sd} will be
incorrectly runned under root privileges if defaults file missed.
This should be changed. Also, there is a reason, that we should provide
defaults in /e/d/bacula-* as comments. I think, this is will not be
included into wheezy, but it should be fixed in next versions.
--
with best regards,
Alexander Golovko
email: alexan...@ankalagon.ru
xmpp: alexan...@ankalagon.ru
signature.asc
Description: PGP signature
