Hi,
Russell Howe wrote:
Kern Sibbald wrote:
I guess my reaction is that if someone really wants \n s in their filenames
(i.e. is crazy enough), then I prefer that they write their own little script
that encloses the names in quotes then Bacula should handle them fine.
I suppose you are not worried about the possibility of a malicious user
causing files to be unintentionally backed up isn't of any grave concern
then?
I would tend to agree, that it's not much of a problem, but it could be
classed as at least a privacy breach, if not a security flaw (although
it's really stretching things...)
You do have a point, though. Every attempt to do such a thing could be
considered "stretching things", but still we use antivirus software,
firewall, and backup software...
Thinking about it some more I'd suggest to implement some basic security
features before passing any script output to baculas working parts.
- paths without leading / (or drive letter, for windows) should be
considered an error,
- \0 should be an error,
- scripts should have to be owned by root or the user bacula runs as and
must have access rights 0700. For example.
Just an idea.
Arno
--
IT-Service Lehmann [EMAIL PROTECTED]
Arno Lehmann http://www.its-lehmann.de
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
