Package: bacula-director-mysql
Severity: important
Tags: patch, security
Hi,
the default bacula configuration file supports backing up the catalog
database using the "make_catalog_backup" script. For this, the following
line is in bacula-dir.conf:
RunBeforeJob = "/etc/bacula/scripts/make_catalog_backup bacula bacula"
If the database is password protected, the password must be added as a
third argument. This works as expected, but poses up a number of
security risks.
Firstly, when the backup fails, the complete command line is put into an
email with the error messages, including the password. For example:
15-Oct 21:10 stdio.flexvps.nl-dir: BeforeJob: run command
"/etc/bacula/scripts/make_catalog_backup bacula bacula
c1130ee16f7125579d6214bcd114b71"
15-Oct 21:10 stdio.flexvps.nl-dir: BeforeJob: mysqldump: Got error:
1045: Access denied for user 'bacula'@'localhost' (using password:
YES) when trying to +connect
Since email is no secure channel, this can expose the database password.
Having the database password in the error message hardly serves any
purpose and should probably be avoided.
Additionally, having the password on the commandline, makes it available
to users on the same machine. The command lines of running processes are
usually accessible to users, so running a simple
[EMAIL PROTECTED]:~$ ps aux|grep catalog
bacula 11706 0.0 0.0 4092 1452 ? S 21:43 0:00 /bin/sh
/etc/bacula/scripts/make_catalog_backup bacula bacula
0c1130ee16f7125579d6214bcd114b71
reveals the database password.
It would be better to store the password in an external file, and pass
that filename to the make_catalog_backup script. In this way, the
make_catalog_backup script is still generic, but the database password
is not exposed (though that file should be readable by the bacula user,
not only by root).
The attached patch achieves the above, while maintaining backwards
compatibility. It might be better to remove backwards compatibility to
prevent users from using the old, insecure way, however. Additionally,
my modifications to the script could pose problems if someone uses a
database password that is also the name of an existing file.
Gr.
Matthijs
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.23-rc9-g1b60e5d0-dirty (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages bacula-director-mysql depends on:
pn bacula-director-common <none> (no description available)
pn dbconfig-common <none> (no description available)
ii debconf [debconf-2.0] 1.5.14 Debian configuration management sy
ii libc6 2.6.1-1 GNU C Library: Shared libraries
ii libgcc1 1:4.2.1-4 GCC support library
ii libmysqlclient15off 5.0.45-1 MySQL database client library
ii libstdc++6 4.2.1-4 The GNU Standard C++ Library v3
ii libwrap0 7.6.dbs-14 Wietse Venema's TCP wrappers libra
ii mysql-client-5.0 [mysql 5.0.45-1 MySQL database client binaries
ii python2.4 2.4.4-6 An interactive high-level object-o
ii zlib1g 1:1.2.3.3.dfsg-5 compression library - runtime
Versions of packages bacula-director-mysql recommends:
ii mysql-server-5.0 [mysql-serve 5.0.45-1 MySQL database server binaries
--- make_catalog_backup 2007-10-15 21:43:20.000000000 +0200
+++ make_catalog_backup_safe 2007-10-15 22:08:42.000000000 +0200
@@ -7,16 +7,16 @@
# of the output file (default = bacula).
# $2 is the user name with which to access the database
# (default = bacula).
-# $3 is the password with which to access the database or "" if no password
-# (default "")
+# $3 is the name of a file which holds the password with which to access the
+# database or "" if no password (default ""). Can also be the actual
+# password instead of a filename, but this is only provided for backwards
+# compatibility and is insecure.
# $4 is the host on which the database is located
# (default "")
#
#
BINDIR=/usr/bin
-sleep 200
-
cd /var/lib/bacula
rm -f $1.sql
if test xsqlite = xmysql ; then
@@ -24,7 +24,11 @@
else
if test xmysql = xmysql ; then
if test $# -gt 2; then
- MYSQLPASSWORD=" --password=$3"
+ if [ -r "$3" ]; then
+ MYSQLPASSWORD=" --password=`cat \"$3\"`"
+ else
+ MYSQLPASSWORD=" --password=$3"
+ fi
else
MYSQLPASSWORD=""
fi
