Thanks for the replies.
Let me just say that Bacula is a great piece of software and we are using it in
7 production environments for our customers without any significant issues.
Our security architecture is based on separation of functions into separate VMs
using xen. Thus we have a mail server, a file server and a bacula director
server etc. This means that if one server is compromised, we can limit the
damage. We can also limit access to users by function (e,g, a user who can run
backups, a user who mantain AD etc).
Being able to remotely run any command on any machine from bacula breaks this
security.
I have successfully used command locked ssh run before (director) commands
instead on run before client commands to get around some restrictions (timeout)
and I guess this might be a (painful) solution if run before client could be
disabled. Ideally though, a capability like command locked ssh is what is
needed.
Regards
Steve Lee
________________________________
From: Blake Dunlap <iki...@gmail.com>
Sent: 07 September 2013 00:50
To: Kern Sibbald
Cc: bacula-devel@lists.sourceforge.net
Subject: Re: [Bacula-devel] Client run before security concern
I could see where this could come into play in compliance and mutli-tenant
situations.
It wouldn't hurt to have access masks on the client side as far as allowed
directories and / or functions like run commands, maybe even a way to set the
client read-only without explicit client action like turning it back off first
in the client config. That would fix a lot of the potential issues that are
left after encryption I suspect when the backup team is not considered a
trusted actor.
For reference, spacewalk / RHN do this already to a degree with the client
commands. The client does not consider the central point as a trusted actor and
they must be explicitly enabled.
-Blake
On Fri, Sep 6, 2013 at 5:27 PM, Kern Sibbald
<k...@sibbald.com<mailto:k...@sibbald.com>> wrote:
Bacula is designed with as much security in mind as
I knew/know about. Perhaps you haven't yet had the time
to read the manual, but aside from not letting a "user" get access
to the Director, you can encrypt all the communications, you can
also run the FD in backup only mode, and restart it in read/write mode
if you want to restore something. There are many other things
you can do as well.
In most cases, it is easier to get root access to a Linux
system than it is to exploit a properly configured Bacula,
especially if you are running a web server on your machine.
If a user has root access he doesn't need Bacula
to get what he wants.
If you have some specific suggestions for improving
Bacula's security (and I suspect there are many things
to do, some of which I am implementing now), I suggest
you mention them.
Kern
On 09/06/2013 08:18 PM, stefano scotti wrote:
> 2013/9/6, Kern Sibbald <k...@sibbald.com<mailto:k...@sibbald.com>>:
>> Hello,
>>
>> The only security issue is that a "user" should not have access
>> to the Bacula Director. Only qualified sys admins should have
>> such access.
>>
>> Best regards,
>> Kern
>>
>>
> That's not true.
>
> There are other security issues related to the fact that TCP bacula
> stream could be altered by malicious attackers using one or more of
> the network attacks known today (and they are a lot).
>
> The problem here is that bacula on client machines has more permission
> than it needs, and this vulnerability could be exploited even if the
> attacker is not able to exploit the bacula server system. This is a
> fact.
>
> And even if it wasn't like that, let's suppose (a false thing) that
> the attack could start only by exploting the bacula server machine.
> Can you please tell me why an exploted system has to have freely
> access to the keys which could exploit every system of its network?
> Is it right to considering Bacula the centralized point of security of
> an entire network system? what if it fails?
>
> Accountability and access control are main security matters, and
> currently Bacula isn't implementing them very well on this specific
> question.
>
> We shouldn't justify the current architecture just because it is
> easier to maintain it in the way it is.
> I'm not saying that designing some sort of criteria which limits
> bacula permissions is an easy task, we everybody know that security
> itself is not an easy task.
>
> But i'm sure of a thing, it could be done, and it could be done well
> if somebody focuses in that.
> I'm sure of another thing, it will never be better if everybody will
> keep saying that nothing can be done about it.
>
> I hope bacula's designer will take care of that, because it IS an issue.
>
> Meanwhile your should, at least, worry about your bacula server and
> your network hardening , because you really need it.
>
> I suggest you the use of VPN tunnels.
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> Bacula-devel mailing list
> Bacula-devel@lists.sourceforge.net<mailto:Bacula-devel@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/bacula-devel
>
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net<mailto:Bacula-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/bacula-devel
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
