Hello Heri,
Maybe the misunderstanding here is because in bacula-fd.conf the client's
password used for communicating with director is in a director resource.
All the daemons (clients and storages daemons) have their own passwords for
communicating with director, not for communicating with bconsole, and all
the daemons, including the director, use CRAM-MD5 authentication mechanism
between them.
Also, you can always improve the security of your Bacula backup system by
configuring communications and/or data encryption.
As you can see, Bacula has a lot of security features that can help you to
protect your backups.
Best regards,
Ana
On Fri, Dec 18, 2015 at 8:28 PM, Kern Sibbald <k...@sibbald.com> wrote:
> On 12/18/2015 06:46 PM, H. Steuer wrote:
>
> Hello Kern,
>
> thanks for your comment. Probably I did not understand the security model
> of Bacula so far. Furthermore, you misread my
> post. The point is not anybody having root access to the Bacula server -
> thats absolutely not the case. And there are just very few users with root
> access on servers. But lets assume an administrator that manages mail
> servers only has root privileges on its mail servers (not on any other
> maching, just his few mail servers).
>
> This mail server has a file daemon configuration locally where the
> director password is stored. That nessecary for the director to connect to
> this particular client. So far so good. For my understanding, and please
> correct my if I'm wrong, I can use the same password that is part of the
> file daemon configuration in the bconsole.conf to gain anonymous console.
> So an evil administrator could read the password our of the
> bacula-fd.conf, install bconsole and create just a bconsole.conf
> with the same password he extracted from the bacula-fd.conf.
>
> Probably I just missed the point here and my assumption is wrong. At least
> my local tests confirmed that this is the case.
>
> Can you please leave a comment on this?
>
>
> Yes, you have very likely "misconfigured" your File Daemon. In the
> Director resource of the FD, you should put the password that is in the
> Client resource of the bacula-dir.conf file and definitely not the password
> that is in the Director resource of the bacula-dir.conf file. It may seem
> a bit confusing at the beginning, but the FD Director resource should have
> the password that the Director will use when connecting to the Client (i.e.
> the bacula-dir.conf Client password).
>
> The password that is in the Director resource of bacula-dir.conf should
> *only* be used in the bconsole.conf file on machines where you want the
> administrator to have full control of Bacula.
>
> Once you "get" this, your security concerns mentioned in these emails
> about Bacula will most likely go away.
>
> This arrangement is shown in various diagrams in the Bacula manual, but
> Dan Languille has a much clearer diagram of this process that may help you.
>
> Best regards,
> Kern
>
>
>
> Thanks,
> Heri
>
>
>
>
>
>
> On 18.12.2015 17:56, Kern Sibbald wrote:
>
> Hello,
>
> If you have hundreds of users with root access and they can access the
> Bacula Director machine as root, you have a far bigger security problem
> than just Bacula, since they can do anything to your machines and the
> Bacula Director machine, and there is no way Bacula could ever avoid it.
>
> Root access to your Bacula Director machine gives the person access to
> everything including everything in Bacula. On *nix machines that is normal
> and it is unavoidable.
>
> Thus in a network such as yours you must be careful never to allow
> external root access to any machine you want to be secure. Access should
> always be via a user id and password, and sudo root access should always be
> disallowed to everyone except trusted administrators. There are, of
> course, other more complicated ways to accomplish the same thing.
>
> Bacula has been around for 15 years now, and if there were a serious
> security design error, it would have been pointed out a long time ago. I
> assume you already understand my comments about sudo and root access, and I
> am sure when you fully understand Bacula's security and apply "normal" *nix
> security (sudo, ...) on top of it, you will have a secure backup system.
>
> Best regards,
> Kern
>
> On 12/18/2015 05:34 PM, H. Steuer wrote:
>
>
> Hello Bill,
>
> you are right, but there is a serious side effect. Heres a statement from
> the Bacula docs:
>
> The first console type is an anonymous or default console, which has full
> privileges. There is no console resource necessary for this type since the
> password is specified in the Director resource. Typically you would use
> this anonymous console only for administrators.
> So this means that - as there is no configuration item for the anonymous
> console in the "bacula-dir.conf", it uses the password from the "Director"
> section. As this is also the password thats used for the director to
> access the client file
> daemon, we have now the result that this is the same password that can be
> used in a "Director" section of the
> bconsole.conf. I just gave it a try and changed the password in the
> Director section of the bacula-dir.conf. Then I have
> chosen a random client, installed bconsole, created a bconsole.conf with
> the same password and voila - had full access
> to all the backups.
>
> So the final result is that you can always use the same password in the
> bconsole.conf Director section as the one thats
> configured in your bacula-fd.conf Director section which then grants you
> administrative privileges in the director.
>
> Thanks for your support so far, let me know your thoughts....
>
> Cheers,
> Heri
>
>
>
>
>
> On 18.12.2015 17:19, Bill Arlofski wrote:
>
> On 12/18/2015 10:30 AM, H. Steuer wrote:
>
> Hello Bill,
>
> thanks for your explanation. I fully understand your point. However, if a user
> has root privileges on one host which is backed up, there is already a file
> daemon config that holds
> the director password. Please correct me if I´m wrong, but my understanding is
> that the anonymous console does not require (and cannot have) a "Console"
> configuration
> on the director. Therefore such a root user could install the bconsole client
> on his host, configure the bconsole towards the director with the password
> grabbed from the
> file daemon and then connect to the director.
>
> The password in the Director {} resource of the bacula-fd.conf file on a
> client is the password that the Director must supply to connect to the FD, not
> the other way around.
>
> Try it. :) Try using this password in a bconsole.conf file and attempt to
> connect to the Director. You will be denied access.
>
> On the Director, a Client {} resource needs to be created where a matching
> password is set for each FD.
>
> Hope this makes it a little more clear.
>
> Bill
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Bacula-users mailing
> listBacula-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/bacula-users
>
>
>
>
> --
> [image: PATRONAS]
>
> PATRONAS Financial Systems GmbH
> Schnewlinstr. 4
> 79098 Freiburg
>
> fon +49 (0)761 400688-11
> fax +49 (0)761 400688-61
>
> ste...@patronas.com
> http://www.patronas.com
> PGP: 47AB0548
>
> commercial register: Amtsgericht Freiburg, HRB 7212
> executive board: Heribert Steuer, Carsten Osswald
>
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
>
------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
