Maybe this confusion could have been avoided if there wouldn't be
"anonymous" written in the manual - because it indeed is not "anonymous"
as such :)
--
Silver
On 18.12.2015 18:34, H. Steuer wrote:
Hello Bill,
you are right, but there is a serious side effect. Heres a statement
from the Bacula docs:
The first console type is an anonymous or default console, which
has full privileges. There is no console resource necessary for
this type since the password is specified in the Director
resource. Typically you would use this anonymous console only
for administrators.
So this means that - as there is no configuration item for the
anonymous console in the "bacula-dir.conf", it uses the password from
the "Director" section. As this is also the password thats used for
the director to access the client file
daemon, we have now the result that this is the same password that can
be used in a "Director" section of the
bconsole.conf. I just gave it a try and changed the password in the
Director section of the bacula-dir.conf. Then I have
chosen a random client, installed bconsole, created a bconsole.conf
with the same password and voila - had full access
to all the backups.
So the final result is that you can always use the same password in
the bconsole.conf Director section as the one thats
configured in your bacula-fd.conf Director section which then grants
you administrative privileges in the director.
Thanks for your support so far, let me know your thoughts....
Cheers,
Heri
On 18.12.2015 17:19, Bill Arlofski wrote:
On 12/18/2015 10:30 AM, H. Steuer wrote:
Hello Bill,
thanks for your explanation. I fully understand your point. However, if a user
has root privileges on one host which is backed up, there is already a file
daemon config that holds
the director password. Please correct me if I´m wrong, but my understanding is
that the anonymous console does not require (and cannot have) a "Console"
configuration
on the director. Therefore such a root user could install the bconsole client
on his host, configure the bconsole towards the director with the password
grabbed from the
file daemon and then connect to the director.
The password in the Director {} resource of the bacula-fd.conf file on a
client is the password that the Director must supply to connect to the FD, not
the other way around.
Try it. :) Try using this password in a bconsole.conf file and attempt to
connect to the Director. You will be denied access.
On the Director, a Client {} resource needs to be created where a matching
password is set for each FD.
Hope this makes it a little more clear.
Bill
------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
