Tullio Andreatta ML wrote: > Dan Langille wrote: >> This post deals with old and already fixed security issues. They are >> fixed in Bacula. They may not be fixed in the reported vendor code, >> in this case Gentoo. >> >> I noticed these two security reports today: >> >> http://www.securityfocus.com/archive/1/494604 >> http://www.net-security.org/advisory.php?id=9098 >> >> I have replied to the first one, directing them to the original >> problem report: http://bugs.bacula.org/view.php?id=990 >> >> NOTE: this issue was first documented in 2005 by the Bacula project. >> The documentation contains several examples as to how to avoid this >> situation. > > I modified the make_catalog_backup to provide db password on stdin. > Then I call the script with > (echo password; exec sleep 1) | make_catalog_backup bacula bacula - > to hide the password on the command line.
I'm not convinced this solves the problem. The password is still available publicly, via ps auwx, for a short time. > > Patch attached. > > P.S.: Since password may be retrieved in the environment of > make_catalog_backup, I defined also a read-only dbuser > who do the catalog backup. > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Bacula-devel mailing list Bacula-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-devel
