Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 905530

Summary: bacula-director runs as root not bacula user
Product: Red Hat Enterprise Linux 6 Reporter: Vincent Danen <vdanen>
Component: baculaAssignee: Josef Ridky <jridky>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-25 08:27:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2013-01-29 15:39:20 UTC 
I noticed a Debian bug report this morning (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699244) that indicated bacula-director was running as the root user instead of an unprivileged user.  I checked Fedora 17 and it has an /etc/sysconfig/bacula-dir file that specifies the user/group to run as (bacula).

Then I checked RHEL6 and this configuration file is missing, which means that when you start bacula-dir, it starts the program running as root.  Interestingly enough, there is a bacula user, so if one were to create /etc/sysconfig/bacula-dir that contains:

DIR_USER="bacula"
DIR_GROUP="bacula"

Then bacula-dir starts with the appropriate unprivileged user.

It would be good if the next time bacula is updated, that it ships with this sysconfig file by default.
Comment 2 Petr Hracek 2013-02-25 08:53:06 UTC 
I have checked that bug and found that it was already fixed by 
https://bugzilla.redhat.com/show_bug.cgi?id=629697

What version of bacula software did you used?
RHEL version is 6.3, right?
Comment 3 Vincent Danen 2013-02-26 18:43:59 UTC 
Right, this was tested on 6.3 as 6.4 was not available at the time.  This is no longer the case in 6.4?  Looking at the contents of RHBA-2012:1469 (FAST 6.4) I don't see any mention of dropping privs.

Also, the bug you reference above is for Fedora, not RHEL.  And if I look at the changelog of what changed between 6.3 (5.0.0-9) and 6.4 (5.0.0-12), I see:

* Tue Oct 02 2012 Lukáš Nykrýn <lnykryn> - 5.0.0-12
- fix alternatives in scriptlets (#862240)

* Thu Sep 20 2012 Lukáš Nykrýn <lnykryn> - 5.0.0-11
- Add create to logrotate to preserve selinux context (#728697)

* Mon Sep 17 2012 Lukáš Nykrýn <lnykryn> - 5.0.0-10
- put correct port in my.cnf (#756803)
- shows correct job and file retention periods (#802158)
- build with $RPM_OPT_FLAGS, show compiler commands in build log (#729008)
- include /var/log/bacula.log and /var/log/bacula/ in logwatch (#728693)
- ensure that /var/spool/bacula/log has correct selinux context (#728697)

nothing in there indicates this is fixed.  From what I can see, this still affects 6.4.
Comment 4 RHEL Program Management 2013-10-14 00:01:06 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 5 Josef Ridky 2017-09-25 08:27:25 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the
Production 3 Phase, Critical impact Security Advisories (RHSAs) and
selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as
they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase
and will be marked as CLOSED/WONTFIX. If this remains a critical
requirement, please contact Red Hat Customer Support to request
a re-evaluation of the issue, citing a clear business justification. Note
that a strong business justification will be required for re-evaluation.
Red Hat Customer Support can be contacted via the Red Hat Customer Portal
at the following URL:

https://access.redhat.com/