On 12/18/2015 08:36 AM, H. Steuer wrote:
> Hello,
>
> our current understanding of the bacula security model is, that it is not
> possible to disable the anonymous aka default console.
> This leads to the fact that all users having root access to one of the clients
> does have access to all data that was backed up
> by bacula.
> In a network with hundrets of hosts, it is very likely that there are users
> with root access on one or the other machine. Mail
> server admins have to manage their systems, web server admins manage theirs.
> But simply installing bconsole and
> accessing the director with the anonymous console enables each of them to
> fully access the backup of all machines. This
> means that if a user has root access to one client, he has kind of full access
> to all backed up hosts.
>
> Hopefully there is something that I misunderstood. As this makes all firewalls
> and ACL controls in a network useless if
> Bacula really opens up the gates in that way.
>
> Thanks for enlightening me.
>
> Cheers,
> Heri
Hi Heri,
A user on a remote host cannot access the director by simply installing
bconsole and connecting to the director.
In the Director's bacula-dir.conf file, there is a Director {} resource
section where a password is defined. A remote user would need to know this
password, and set it in their bconsole.conf file (or bat.conf file) before the
director would even allow the connection.
Additionally, whenever there is a failed connection attempt, Bacula will log
it and send this notification to any email addresses defined in its Message {}
resource named "daemon" (by default)
While the connections between the director and remote bconsole is not
encrypted (by default) the passwords are never sent in the clear.
Also, as Alan mentioned, you can define restricted consoles to limit
visibility and accessibility to hosts and data a remote admin is not
responsible for.
Hope this relieves you of your concerns. :)
Bill
--
Bill Arlofski
http://www.revpol.com/bacula
-- Not responsible for anything below this line --
------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
