|
On 12/18/2015 06:46 PM, H. Steuer
wrote:
Hello Kern,
thanks for your comment. Probably I did not understand the
security model of Bacula so far. Furthermore, you misread my
post. The point is not anybody having root access to the Bacula
server - thats absolutely not the case. And there are just very
few users with root access on servers. But lets assume an
administrator that manages mail servers only has root privileges
on its mail servers (not on any other maching, just his few mail
servers).
This mail server has a file daemon configuration locally where
the director password is stored. That nessecary for the director
to connect to this particular client. So far so good. For my
understanding, and please correct my if I'm wrong, I can use the
same password that is part of the file daemon configuration in
the bconsole.conf to gain anonymous console.
So an evil administrator could read the password our of the
bacula-fd.conf, install bconsole and create just a bconsole.conf
with the same password he extracted from the bacula-fd.conf.
Probably I just missed the point here and my assumption is
wrong. At least my local tests confirmed that this is the case.
Can you please leave a comment on this?
Yes, you have very likely "misconfigured" your File Daemon. In the
Director resource of the FD, you should put the password that is in
the Client resource of the bacula-dir.conf file and definitely not
the password that is in the Director resource of the bacula-dir.conf
file. It may seem a bit confusing at the beginning, but the FD
Director resource should have the password that the Director will
use when connecting to the Client (i.e. the bacula-dir.conf Client
password).
The password that is in the Director resource of bacula-dir.conf
should *only* be used in the bconsole.conf file on machines where
you want the administrator to have full control of Bacula.
Once you "get" this, your security concerns mentioned in these
emails about Bacula will most likely go away.
This arrangement is shown in various diagrams in the Bacula manual,
but Dan Languille has a much clearer diagram of this process that
may help you.
Best regards,
Kern
Thanks,
Heri
On 18.12.2015 17:56, Kern Sibbald wrote:
Hello,
If you have hundreds of users with root access and they can
access the Bacula Director machine as root, you have a far
bigger security problem than just Bacula, since they can do
anything to your machines and the Bacula Director machine, and
there is no way Bacula could ever avoid it.
Root access to your Bacula Director machine gives the person
access to everything including everything in Bacula. On *nix
machines that is normal and it is unavoidable.
Thus in a network such as yours you must be careful never to
allow external root access to any machine you want to be
secure. Access should always be via a user id and password,
and sudo root access should always be disallowed to everyone
except trusted administrators. There are, of course, other
more complicated ways to accomplish the same thing.
Bacula has been around for 15 years now, and if there were a
serious security design error, it would have been pointed out
a long time ago. I assume you already understand my comments
about sudo and root access, and I am sure when you fully
understand Bacula's security and apply "normal" *nix security
(sudo, ...) on top of it, you will have a secure backup
system.
Best regards,
Kern
On 12/18/2015 05:34 PM, H. Steuer wrote:
Hello Bill,
you are right, but there is a serious side effect. Heres a
statement from the Bacula docs:
The first console type is an anonymous
or default console, which has full privileges. There
is no console resource necessary for this type since
the password is specified in the Director resource.
Typically you would use this anonymous console only
for administrators.
So this means that - as there is no configuration item for
the anonymous console in the "bacula-dir.conf", it uses
the password from the "Director" section. As this is
also the password thats used for the director to access
the client file
daemon, we have now the result that this is the same
password that can be used in a "Director" section of the
bconsole.conf. I just gave it a try and changed the
password in the Director section of the bacula-dir.conf.
Then I have
chosen a random client, installed bconsole, created a
bconsole.conf with the same password and voila - had full
access
to all the backups.
So the final result is that you can always use the same
password in the bconsole.conf Director section as the one
thats
configured in your bacula-fd.conf Director section which
then grants you administrative privileges in the director.
Thanks for your support so far, let me know your
thoughts....
Cheers,
Heri
On 18.12.2015 17:19, Bill Arlofski wrote:
On 12/18/2015 10:30 AM, H. Steuer wrote:
Hello Bill,
thanks for your explanation. I fully understand your point. However, if a user
has root privileges on one host which is backed up, there is already a file
daemon config that holds
the director password. Please correct me if I´m wrong, but my understanding is
that the anonymous console does not require (and cannot have) a "Console"
configuration
on the director. Therefore such a root user could install the bconsole client
on his host, configure the bconsole towards the director with the password
grabbed from the
file daemon and then connect to the director.
The password in the Director {} resource of the bacula-fd.conf file on a
client is the password that the Director must supply to connect to the FD, not
the other way around.
Try it. :) Try using this password in a bconsole.conf file and attempt to
connect to the Director. You will be denied access.
On the Director, a Client {} resource needs to be created where a matching
password is set for each FD.
Hope this makes it a little more clear.
Bill
------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
--
![PATRONAS]()
PATRONAS Financial
Systems GmbH
Schnewlinstr. 4
79098 Freiburg
fon +49 (0)761 400688-11
fax +49 (0)761 400688-61
ste...@patronas.com
http://www.patronas.com
PGP: 47AB0548
commercial register: Amtsgericht Freiburg, HRB 7212
executive board: Heribert Steuer, Carsten Osswald
This e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or
have received this e-mail in error)
please notify the sender immediately and destroy this
e-mail. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly
forbidden.
|
