Re: [Bacula-devel] Security reports

Tue, 22 Jul 2008 00:59:28 -0700 

Dan Langille wrote:
This post deals with old and already fixed security issues. They are fixed in Bacula. They may not be fixed in the reported vendor code, in this case Gentoo. 

I noticed these two security reports today:

  http://www.securityfocus.com/archive/1/494604
  http://www.net-security.org/advisory.php?id=9098


I have replied to the first one, directing them to the original problem 
report: http://bugs.bacula.org/view.php?id=990



NOTE: this issue was first documented in 2005 by the Bacula project. 
The documentation contains several examples as to how to avoid this 
situation.


I modified the make_catalog_backup to provide db password on stdin.
Then I call the script with
 (echo password; exec sleep 1) | make_catalog_backup bacula bacula -
to hide the password on the command line.

Patch attached.

P.S.: Since password may be retrieved in the environment of
   make_catalog_backup, I defined also a read-only dbuser
   who do the catalog backup.

--
Tullio Andreatta
09:f9:11:02:9d:74:e3:5b:d8:41:56:c5:63:56:88:c0
45:5f:e1:04:22:ca:29:c4:93:3f:95:05:2b:79:2a:b2

Disclaimer: "Please treat this email message in a reasonable way, or we
    might get angry" ( http://www.goldmark.org/jeff/stupid-disclaimers )


diff -urN bacula-2.4.1.orig/src/cats/make_catalog_backup.in 
bacula-2.4.1/src/cats/make_catalog_backup.in
--- bacula-2.4.1.orig/src/cats/make_catalog_backup.in   2007-10-22 
23:47:58.000000000 +0200
+++ bacula-2.4.1/src/cats/make_catalog_backup.in        2008-07-22 
09:28:49.000000000 +0200
@@ -7,12 +7,11 @@
 #     of the output file (default = bacula).
 #  $2 is the user name with which to access the database
 #     (default = bacula).
-#  $3 is the password with which to access the database or "" if no password
-#     (default ""). WARNING!!! Passing the password via the command line is 
-#     insecure and should not be used since any user can display the command 
-#     line arguments and the environment using ps.  Please consult your
-#     MySQL or PostgreSQL manual for secure methods of specifying the
-#     password.
+#  $3 is the password with which to access the database or "-" if password
+#     is provided on standard input or "" if no password (default "").
+#     WARNING!!! Passing the password via the command line is insecure and
+#     should not be used since any user can display the command line
+#     arguments and the environment using ps.
 #  $4 is the host on which the database is located
 #     (default "")
 #
@@ -26,20 +25,25 @@
 else
   if test xmysql = [EMAIL PROTECTED]@ ; then
     if test $# -gt 2; then
-      MYSQLPASSWORD=" --password=$3"
-    else
-      MYSQLPASSWORD=""
+      case "$3" in
+      -) read MYSQL_PWD || exit 1 ;;
+      *) MYSQL_PWD="$3" ;;
+      esac
+      export MYSQL_PWD
     fi
     if test $# -gt 3; then
       MYSQLHOST=" --host=$4"
     else
       MYSQLHOST=""
     fi
-    ${BINDIR}/mysqldump -u ${2}${MYSQLPASSWORD}${MYSQLHOST} -f --opt $1 >$1.sql
+    ${BINDIR}/mysqldump -u ${2} ${MYSQLHOST} -f --opt $1 >$1.sql
   else                       
     if test xpostgresql = [EMAIL PROTECTED]@ ; then
       if test $# -gt 2; then
-       PGPASSWORD=$3
+        case "$3" in
+        -) read PGPASSWORD || exit 1 ;;
+        *) PGPASSWORD="$3" ;;
+        esac
        export PGPASSWORD
       fi
       if test $# -gt 3; then
diff -urN bacula-2.4.1.orig/src/dird/bacula-dir.conf.in 
bacula-2.4.1/src/dird/bacula-dir.conf.in
--- bacula-2.4.1.orig/src/dird/bacula-dir.conf.in       2008-06-19 
21:44:34.000000000 +0200
+++ bacula-2.4.1/src/dird/bacula-dir.conf.in    2008-07-22 09:22:09.000000000 
+0200
@@ -61,11 +61,11 @@
   FileSet="Catalog"
   Schedule = "WeeklyCycleAfterBackup"
   # This creates an ASCII copy of the catalog
+  # Arguments to make_catalog_backup are:
+  #  make_catalog_backup <database-name> <user-name> <password|-> <host>
   # WARNING!!! Passing the password via the command line is insecure.
   # see comments in make_catalog_backup for details.
-  # Arguments to make_catalog_backup are:
-  #  make_catalog_backup <database-name> <user-name> <password> <host>
-  RunBeforeJob = "@scriptdir@/make_catalog_backup @db_name@ @db_user@"
+  RunBeforeJob = "(echo @db_password@; exec sleep 1) | 
@scriptdir@/make_catalog_backup @db_name@ @db_user@ - localhost"
   # This deletes the copy of the catalog
   RunAfterJob  = "@scriptdir@/delete_catalog_backup"
   Write Bootstrap = "@working_dir@/BackupCatalog.bsr"

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel






















					Reply via email to