Re: [Bacula-users] Re: Portupgrade 1.36.3 -> 1.38.5 FreeBSD 5.4

Martin Simmons Thu, 26 Jan 2006 09:13:14 -0800

>>>>> On Thu, 26 Jan 2006 07:49:20 -0500, "Dan Langille" <[EMAIL PROTECTED]> 
>>>>> said:
> 
> On 26 Jan 2006 at 10:05, Martin Simmons wrote:
> 
> > >>>>> On Wed, 25 Jan 2006 14:58:25 -0500, "Dan Langille" <[EMAIL 
> > >>>>> PROTECTED]> said:
> > > 
> > > On 25 Jan 2006 at 18:19, Attila Fülöp wrote:
> > > 
> > > > Dan Langille wrote:
> > > > > On 24 Jan 2006 at 17:19, Attila Fülöp wrote:
> > > > > 
> > > > > 
> > > > >>Dan Langille wrote:
> > > > >>
> > > > >>>On 23 Jan 2006 at 20:59, Attila Fülöp wrote:
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>>>Hi Dan,
> > > > >>>>
> > > > >>>>thanks to you and Lars for the fast update of the bacula port.
> > > > >>>>
> > > > >>>>doing a "portupgrade bacula-server" i encountered two small
> > > > >>>>glitches (or should i say minor problems?). The first is in
> > > > >>>>the Makefile and fixed with the  attached patch. This fixes
> > > > >>>>the following output line.
> > > > >>>>
> > > > >>>>
> > > > >>>>>Look at REFIX/share/bacula/update_bacula_tables for
> > > > >>>
> > > > >>>
> > > > >>>Thanks.  I'll submit that as a PR.  Unless you want to?
> > > > >>>
> > > > >>
> > > > >>Ok, please submit it.
> > > > > 
> > > > > 
> > > > > Done. We fixed both problems  I'll start a new thread regarding the 
> > > > > other changes we made, but here is what the server install says now:
> > > > > 
> > > > > Look at /usr/local/share/bacula/update_bacula_tables for
> > > > > database update procedure. Details can be found in the
> > > > > ReleaseNotes
> > > > > 
> > > > > and:
> > > > > 
> > > > >   Please note that bacula-server no longer installs the client
> > > > >   and that the documentation is only installed with the client
> > > > >   (see port sysutils/bacula-client)!
> > > > 
> > > > Thanks!
> > > > 
> > > > Well i noticed that bconsole is installed with the  following
> > > > permission:
> > > > -rwxr-xr--  1 root  wheel  197756 Jan 23 21:06 bconsole
> > > > therefore you can't call bconsole from within RunBefore/After
> > > > scripts since the director runs as user and group bacula.
> > > > A chgrp bacula bconsole should fix this. Not sure whether
> > > > i did a chgrp or a chmod o+x for 1.36. Hopefully i can tell
> > > > you tomorrow. Sorry for not reporting this earlier and the
> > > > inconvenience that may result.
> > > 
> > > Like this?
> > > 
> > > [EMAIL PROTECTED]:/usr/local/sbin] # ls -l bconsole
> > > -rwxr-xr--  1 root  bacula  179265 Jan 25 07:53 bconsole
> > > [EMAIL PROTECTED]:/usr/local/sbin] #
> > 
> > These permissions look a little bizare to me:
> > 
> > 1) Why is it writable?  I'm not sure if there is any convension, but all the
> >    files in /bin and /usr/bin on my FreeBSD 4.9 machine are not writable.
> 
> I do not know.
> 
> Everything in my /usr/local/sbin is u,g,o+rx and a few are u+w.


Yes, that's what I see in /usr/local too.  It looks like a random subset of
other package (or non package) installations have u+w too.


> > 2) Is there some reason to restrict it to root and bacula?  It might be 
> > better
> >    to do access control by restricting the conf file, because that allows 
> > more
> >    precise control.
> 
> The g+x bacula, as mentioned above, is to allow the Director to run 
> bconsole (e.g. as part of a RunAfter script).
> 
> Are you suggestiong o+x instead?

Yes, I think it should be -r-xr-xr-x or -rwxr-xr-x.


> > 3) Making it world readable allows anyone to copy it and change the
> >    permissions anyway!
> 
> Understood.
> 
> Tightening up permissions might be a good think.
> 
> $ ls -l /usr/local/sbin/bacula-*
> -rwxr-xr--  1 root  wheel  588366 Jan 21 15:30 /usr/local/sbin/bacula-dir
> -rwxr-xr--  1 root  wheel  282466 Jan 21 15:28 /usr/local/sbin/bacula-fd
> -rwxr-xr--  1 root  wheel  412734 Jan 21 15:30 /usr/local/sbin/bacula-sd
> 
> Perhaps those should all be 740

I'm not sure it makes much difference to security, because someone can always
build their own binary from source or obtain the bacula pkg.

 
> -rw-r-----  1 bacula  bacula  31629 Jan 25 10:51 
> /usr/local/etc/bacula-dir.conf
> -rw-r-----  1 root    wheel     846 Feb 18  2005 
> /usr/local/etc/bacula-fd.conf
> -rw-r-----  1 root    wheel    2425 Jan 24 08:06 
> /usr/local/etc/bacula-sd.conf
> 
> And those are OK as they are.

Right, those are the important ones to protect (along with bconsole.conf).

__Martin


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Re: Portupgrade 1.36.3 -> 1.38.5 FreeBSD 5.4

Reply via email to