Hi, 27.05.2009 11:29, Silver Salonen wrote: > On Wednesday 27 May 2009 11:34:43 Arno Lehmann wrote: >> Hi, >> >> 27.05.2009 09:59, Silver Salonen wrote: >>> Hello. >>> >>> Does anyone know what's the optimal/minimal ACL for a user using Bat? I > know >>> that wx-console used commands .status, .clients etc. >>> >>> What commands are needed by Bat to be usable? >> I'm not sure... probably all the commands, including all the .commands. >> >> The problem I see is that BAT is, currently, not designed to handle >> restricted access. >> >> You'd probably have better results if you don't limit BATs access by >> commands, but to limited pools, clients, etc. >> >> As far as I know, BAT reads the known resources on startup. If it >> doesn't see some pools, for example, it will not try to work with >> those. If, on the other hand, it know about all pools, and gets errors >> from some commands it passes to the DIR, chances are that BAT will >> simply crash. >> >> Good luck! >> >> Arno > > Thanks for the suggestions! > > I compared admin-ran Bat's commands to the user-ran one and figured out the > missing commands. > > I ended up with such ACL for commands: > ========== > CommandACL = status, run, .status, restore, list, help, query, .filesets, > .storage, .defaults, .messages, .backups, .api, .jobs, .clients, .filesets, > .msgs, .pools, .storage, .types, .levels, .sql, .mod > ========== > > Now everything seems to work quite OK, but when I try to restore a file from > Version Browser, I'm taken to the restore-window, but then I get an error: > ========== > bat: console/console.cpp:560 send: .mod restoreclient="black-fd" > fileset="Full > Set" storage="storage-black" replace="always" when="2009-05-27 12:20:47" > bootstrap="/var/db/bacula/bkp-dir.restore.5.bsr" > where="/mnt/da1/bacula/restores" priority="10" yes > > bat: console/console.cpp:585 DisplaytoPrompt > bat: console/console.cpp:628 got: No authoriztion for "where" specification. > ========== > > Any idea where this authorization problem can be fixed?
WhereACL probably. > > PS. As server has to accept a ".sql" command from Bat and it seems that it > just executes any SQL-commands based on that, it's quite a dangerous command > to allow - a modified version of Bat or any other client could then do > anything with the database, couldn't it? Right... one of the reasons I think the ACLs are not very helpful to limit access for BAT. Some others may be annoying but are not necessarily dangerous - umount, for example. Arno > -- > Silver > -- Arno Lehmann IT-Service Lehmann Sandstr. 6, 49080 Osnabrück www.its-lehmann.de ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
