Wolfram Schlich wrote: > * Dan Langille <[EMAIL PROTECTED]> [2008-07-22 18:02]: >> Tullio Andreatta ML wrote: >>> Dan Langille wrote: >>>> This post deals with old and already fixed security issues. They are >>>> fixed in Bacula. They may not be fixed in the reported vendor code, >>>> in this case Gentoo. >>>> >>>> I noticed these two security reports today: >>>> >>>> http://www.securityfocus.com/archive/1/494604 >>>> http://www.net-security.org/advisory.php?id=9098 >>>> >>>> I have replied to the first one, directing them to the original >>>> problem report: http://bugs.bacula.org/view.php?id=990 >>>> >>>> NOTE: this issue was first documented in 2005 by the Bacula project. >>>> The documentation contains several examples as to how to avoid this >>>> situation. >>> I modified the make_catalog_backup to provide db password on stdin. >>> Then I call the script with >>> (echo password; exec sleep 1) | make_catalog_backup bacula bacula - >>> to hide the password on the command line. >> I'm not convinced this solves the problem. The password is still >> available publicly, via ps auwx, for a short time. > > https://bugs.gentoo.org/show_bug.cgi?id=196834#c3
The above uses my.conf, which is what we documented and advise: http://www.bacula.org/en/rel-manual/Catalog_Maintenance.html#SECTION0024130000000000000000 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Bacula-devel mailing list Bacula-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-devel
