In the message dated: Wed, 24 Oct 2007 14:39:00 BST,
The pithy ruminations from Simon Barrett on
<Re: [Bacula-users] Problem backing up catalog> were:
=> On Tuesday 23 October 2007 14:52:21 Mateus Interciso wrote:
=> > On Tue, 23 Oct 2007 14:44:15 +0100, Chris Howells wrote:
=> > > Mateus Interciso wrote:
[SNIP!]
=>
=>
=> On this matter; adding the password to the RunBeforeJob line causes my
=> database password to appear on the status emails:
=>
=> 24-Oct 13:09 fs01-dir: BeforeJob: run command
"/etc/bacula/make_catalog_backup
=> bacula bacula MyPasswordHere"
=>
=> Status emails are sent in clear text across our network. Is there a
=> recommended solution to include sensitive variables in the config files
=> without exposing them like this?
Sure. Here's one easy solution:
In $BACULA/bacula-dir.conf, have the catalog backup job call a wrapper
script instead of calling make_catalog_backup directly, as in:
=========== bacula-dir.conf snippet =======================================
# Backup the catalog database (after the nightly save)
Job {
Name = "BackupCatalog"
Type = Backup
Level = Full
Messages = Standard
Priority = 10
Storage = pv132t
Prefer Mounted Volumes = yes
Maximum Concurrent Jobs = 1
Pool = Incremental
Incremental Backup Pool = Incremental
SpoolData = yes
Client = parthenon-fd
FileSet="Catalog"
Schedule = "AfterBackup"
RunBeforeJob = "/usr/local/bacula/bin/make_catalog_backup.wrapper"
RunAfterJob = "/usr/local/bacula/bin/run_after_catalog_backup"
Write Bootstrap = "/usr/local/bacula/var/working/BackupCatalog.bsr"
Priority = 11 # run after main backup
}
===========================================================================
The wrapper script is something like:
=================== make_catalog_backup.wrapper ===========================
#! /bin/sh
exec /usr/local/bacula/bin/make_catalog_backup bacula bacula $PASSWORD
===========================================================================
This will prevent mail from bacula from including the database password. The
advantage to this method is that it doesn't change make_catalog_backup, so that
future bacula upgrades will be transparent.
The good news is that mysql is security-conscious enough to overwrite the
command line parameter for the password, so a "ps" display doesn't show the
password as part of the mysql command.
Unfortunately, make_catalog_backup is not that smart, and a "ps" (or grepping
through /proc) will show the password on the command-line. If the backup server
is a single user machine that you consider secure, this may not represent too
much of a risk.
On the other hand, if you want to eliminate this problem completely, skip
the wrapper script and modify make_catalog_backup so that it uses hard-coded
values from within the script instead of command-line parameters for the
dbname, the dbuser, and the password.
=>
=> Regards,
=>
=> Simon Barrett
=>
----
Mark Bergman [EMAIL PROTECTED]
System Administrator
Section of Biomedical Image Analysis 215-662-7310
Department of Radiology, University of Pennsylvania
http://pgpkeys.pca.dfn.de:11371/pks/lookup?search=mark.bergman%40.uphs.upenn.edu
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
