Re: [Bacula-users] Bacula security

Mon, 01 Jul 2013 06:56:23 -0700 

On 07/01/13 09:11, Grant wrote:
>>>> Bacula does have root read (and write) privileges on every backed-up 
>>>> system,
>>>> but you can encrypt the backups before sending them to the central server.
>>>> Bacula can also sign the backups, so the client can verify that a restore
>>>> doesn't contain modified data.  You still have to keep the
>>>> encryption/signing
>>>> keys secure of course.
>>>
>>> Thanks for your help.  I don't think I have the b*lls to give root
>>> read/write on every system to the backup server. :)
>>>
>>> - Grant
>>
>> You are free to operate the FD (Client) with any permission you like,
>> but you have to take care that the FD is able to read anything you
>> like to backup and i case of restore it should be able to write and
>> maybe to "chown" the files in question.
> 
> I may have misunderstood before.  The FD runs on the client machines,
> correct?  Read and writing to localhost is no problem.  What worries
> me is one machine having root read(/write) permission on another
> machine.  Can bacula operate without that?

The Director does not connect to client machines at all except through
the FD.  So you have probably misunderstood something, yes.

That said, the Director can run more-or-less-arbitrary commands on the
client through the FD with the FD's privileges, and if you want Bacula
to be able to back up and restore all data on the system it must run  as
root, so if your Director is compromised, it can almost certainly be
used to gain access to the clients.  However, it should already go
without saying that your Director, since it has access to all the backup
data of all clients, needs to be carefully controlled.


-- 
  Phil Stracchino, CDK#2     DoD#299792458     ICBM: 43.5607, -71.355
  ala...@caerllewys.net   ala...@metrocast.net   p...@co.ordinate.org
  Renaissance Man, Unix ronin, Perl hacker, SQL wrangler, Free Stater
                 It's not the years, it's the mileage.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to