2013/9/6, Kern Sibbald <k...@sibbald.com>: > Hello, > > The only security issue is that a "user" should not have access > to the Bacula Director. Only qualified sys admins should have > such access. > > Best regards, > Kern > >
That's not true. There are other security issues related to the fact that TCP bacula stream could be altered by malicious attackers using one or more of the network attacks known today (and they are a lot). The problem here is that bacula on client machines has more permission than it needs, and this vulnerability could be exploited even if the attacker is not able to exploit the bacula server system. This is a fact. And even if it wasn't like that, let's suppose (a false thing) that the attack could start only by exploting the bacula server machine. Can you please tell me why an exploted system has to have freely access to the keys which could exploit every system of its network? Is it right to considering Bacula the centralized point of security of an entire network system? what if it fails? Accountability and access control are main security matters, and currently Bacula isn't implementing them very well on this specific question. We shouldn't justify the current architecture just because it is easier to maintain it in the way it is. I'm not saying that designing some sort of criteria which limits bacula permissions is an easy task, we everybody know that security itself is not an easy task. But i'm sure of a thing, it could be done, and it could be done well if somebody focuses in that. I'm sure of another thing, it will never be better if everybody will keep saying that nothing can be done about it. I hope bacula's designer will take care of that, because it IS an issue. Meanwhile your should, at least, worry about your bacula server and your network hardening , because you really need it. I suggest you the use of VPN tunnels. ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Bacula-devel mailing list Bacula-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-devel
