Menu
▾
▴
[Bacula-devel] Re: [Bacula-users] Re: MTSETDRVBUFFER only allowed for root. Also: possible security issue
|
From: Arno L. <al...@it...> - 2005-01-22 15:24:16
|
Mario Wolff wrote: > "Arno Lehmann" <al...@it...> schrieb im Newsbeitrag > news:41F...@it...... > >>>Everything is working so far, but sometimes i get st0: MTSETDRVBUFFER >>>only allowed for root. >>>Q2: How to get rid? >> >>Checking permissions and users of the sd. Very important thing: don't >>forget the changer device if you use one... >> > > > Well, i use the debian/sid package where the daemons, except bacula-fd, run > as user bacula: > # id bacula > uid=103(bacula) gid=103(bacula) groups=103(bacula),26(tape) Ok, without personal experience with running bacula as non-root - here, my backup server is a backup server only - I'll try a guess. > crw-rw---- 1 root tape 9, 128 Mar 14 2002 /dev/nst0 > crw-rw---- 1 root tape 21, 4 Mar 14 2002 /dev/sg4 This looks ok. > lrwxrwxrwx 1 root root 9 Jan 22 11:27 /dev/tape -> > /dev/nst0 > lrwxrwxrwx 1 root root 8 Jul 6 2004 /dev/tape-changer -> > /dev/sg4 This as well. > > What's wrong? Maybe run bacula-sd suid root? No, that should not be necessary (anyway, cou could run it as root in that case, without user change at startup). Just make sure that user bacula is in group tape - but this should be the case already. Backups are run, after all, right? I would guess that the ioctl with MTSETDRVBUFFER goes to a device or driver which can only be accessed by root. Since I don't know where in bacula - the sd, most probably - this happens I can only suggest to run bacula with debug output, to scan the sourcecode for this, or to use strace to find the offending code. Or, ask someone who can help you on that level... Should only take a little time on this list, but just to make sure I'm crossposting to bacula-devel. > -rwxr-xr-x 1 root root 505192 Dec 9 18:57 /usr/sbin/bacula-dir > -rwxr-xr-x 1 root root 238632 Dec 9 18:57 /usr/sbin/bacula-fd > -rwxr-xr-x 1 root root 326984 Dec 9 18:57 /usr/sbin/bacula-sd By the way and I never noticed - shouldn't the fd be -rwx------ since it offers access to the whole filesystem, can be called with a non-default configuration, and can then be used to read and modify your whole hard disk? I just checked, and the Makefile uses install -m 0754 which looks better, but the file here was executable by anyone as well. Funny. Arno > > >>Arno > > > Mario > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting > Tool for open source databases. Create drag-&-drop reports. Save time > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. > Download a FREE copy at http://www.intelliview.com/go/osdn_nl > _______________________________________________ > Bacula-users mailing list > Bac...@li... > https://lists.sourceforge.net/lists/listinfo/bacula-users > -- IT-Service Lehmann al...@it... Arno Lehmann http://www.its-lehmann.de |