----- Original Message -----
> From: "Peter Keller" <pkel...@sift.net>
> To: "Heitor Faria" <hei...@bacula.com.br>
> Cc: "Bacula Users List" <bacula-users@lists.sourceforge.net>
> Sent: Wednesday, February 24, 2016 9:39:13 PM
> Subject: Re: [Bacula-users] restricted consoles and uids

> Hello,
> 
> On 02/24/2016 05:50 PM, Heitor Faria wrote:
>> *Minor correction:
>> 
>> cat /usr/sbin/baculejo
>> =========================>8 Cut Here >8===========================
>> DIR_NAME=hfaria-K46CB-dir
>> DIR_ADDRESS=localhost
>> 
>> echo " Director {
>>  Name = $DIR_NAME
>>  DIRport = 9101
>>  Address = $DIR_ADDRESS
>>  Password = "xxxx"
>> }
>> 
>> Console {
>>    Name = $USER
>>    Password = "password"
>> }" > /tmp/baculejo.conf
>> 
>> bconsole -c /tmp/baculejo.conf
> 
> I see why this works, but it tells me there is no way in bacula
> to perform the configuration in question without resorting to
> either a wrapper script, some other out of band solution, or
> implementing code in bacula. Also, all users would have the
> same Password, and there would be nothing stopping them from
> just writing a baculejo.conf for root and escalating
> themselves into administrative privileges in bacula's console.

Hello, Peter. You are right in all your affirmatives.
'root' was just one example, but I though you would use less generic users for 
this solution. I think you can improve the security issues of this script, 
e.g., replacing the $USER for CONUSER=$(id -u -n) making harder for user 
spoofing. If you have all workstation secure authenticated in your directory 
service (assuming you have one) I think you can improve the security even more. 
Besides that I think UI with directory service integration would be Bacula 
Enterprise Bweb or any Apache one (Webacula, baculum etc.).
Where you see 'band solutions' I see lot's of possibilities. Perhaps not the 
free plug'n'play one you were expecting. =)

> Thank you.
> 
> -pete

Regards,
-- 
=========================================================================== 
Heitor Medrado de Faria - LPIC-III | ITIL-F | Bacula Systems Certified 
Administrator II 
Do you need Bacula training? http://bacula.us/video-classes/ 
+55 61 8268-4220 
Site: http://bacula.us FB: heitor.faria 
===========================================================================

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to