Hello,
Thanks for using Bacula :-)
See my note below ...
On 09/09/2013 11:07 AM, Steve Lee wrote:
Thanks for the replies.
Let me just say that Bacula is a great piece of software and we are
using it in 7 production environments for our customers without any
significant issues.
Our security architecture is based on separation of functions into
separate VMs using xen. Thus we have a mail server, a file server and
a bacula director server etc. This means that if one server is
compromised, we can limit the damage. We can also limit access to
users by function (e,g, a user who can run backups, a user who mantain
AD etc).
Being able to remotely run any command on any machine from bacula
breaks this security.
I would put one minor qualification on the above statement that Bacula
allows any
user to run any *job*, if you have not setup Bacula ACLs and restricted
consoles.
In any case, if a user can run a given job on a given client, it is
possible that Bacula
can implement any command on that given machine only provided:
1. You have defined a run script that will run on that machine in the
bacula-dir.conf file.
2. The script that it access on the client machine will be executed, but
if you set it up correctly, it cannot be changed by users.
Thus the Bacula sys admin should (unless I am missing something) be in
control of what runs and on what machine.
In the next version, though it is not currently implemented, I plan to have
a ScriptsDirectory directive in the FD conf file that will limit run
scripts to always
run from that specific directory, which will permit even tighter control on
the security aspects of run scripts.
I have successfully used command locked ssh run before (director)
commands instead on run before client commands to get around some
restrictions (timeout) and I guess this might be a (painful) solution
if run before client could be disabled. Ideally though, a capability
like command locked ssh is what is needed.
Command locked ssh can be a very useful tool, but without a lot of
work, it is not as fine grained as restricted consoles.
Best regards,
Kern
Regards
Steve Lee
------------------------------------------------------------------------
*From:* Blake Dunlap <iki...@gmail.com>
*Sent:* 07 September 2013 00:50
*To:* Kern Sibbald
*Cc:* bacula-devel@lists.sourceforge.net
*Subject:* Re: [Bacula-devel] Client run before security concern
I could see where this could come into play in compliance and
mutli-tenant situations.
It wouldn't hurt to have access masks on the client side as far as
allowed directories and / or functions like run commands, maybe even a
way to set the client read-only without explicit client action like
turning it back off first in the client config. That would fix a lot
of the potential issues that are left after encryption I suspect when
the backup team is not considered a trusted actor.
For reference, spacewalk / RHN do this already to a degree with the
client commands. The client does not consider the central point as a
trusted actor and they must be explicitly enabled.
-Blake
On Fri, Sep 6, 2013 at 5:27 PM, Kern Sibbald <k...@sibbald.com
<mailto:k...@sibbald.com>> wrote:
Bacula is designed with as much security in mind as
I knew/know about. Perhaps you haven't yet had the time
to read the manual, but aside from not letting a "user" get access
to the Director, you can encrypt all the communications, you can
also run the FD in backup only mode, and restart it in read/write mode
if you want to restore something. There are many other things
you can do as well.
In most cases, it is easier to get root access to a Linux
system than it is to exploit a properly configured Bacula,
especially if you are running a web server on your machine.
If a user has root access he doesn't need Bacula
to get what he wants.
If you have some specific suggestions for improving
Bacula's security (and I suspect there are many things
to do, some of which I am implementing now), I suggest
you mention them.
Kern
On 09/06/2013 08:18 PM, stefano scotti wrote:
> 2013/9/6, Kern Sibbald <k...@sibbald.com <mailto:k...@sibbald.com>>:
>> Hello,
>>
>> The only security issue is that a "user" should not have access
>> to the Bacula Director. Only qualified sys admins should have
>> such access.
>>
>> Best regards,
>> Kern
>>
>>
> That's not true.
>
> There are other security issues related to the fact that TCP bacula
> stream could be altered by malicious attackers using one or more of
> the network attacks known today (and they are a lot).
>
> The problem here is that bacula on client machines has more
permission
> than it needs, and this vulnerability could be exploited even if the
> attacker is not able to exploit the bacula server system. This is a
> fact.
>
> And even if it wasn't like that, let's suppose (a false thing) that
> the attack could start only by exploting the bacula server machine.
> Can you please tell me why an exploted system has to have freely
> access to the keys which could exploit every system of its network?
> Is it right to considering Bacula the centralized point of
security of
> an entire network system? what if it fails?
>
> Accountability and access control are main security matters, and
> currently Bacula isn't implementing them very well on this specific
> question.
>
> We shouldn't justify the current architecture just because it is
> easier to maintain it in the way it is.
> I'm not saying that designing some sort of criteria which limits
> bacula permissions is an easy task, we everybody know that security
> itself is not an easy task.
>
> But i'm sure of a thing, it could be done, and it could be done well
> if somebody focuses in that.
> I'm sure of another thing, it will never be better if everybody will
> keep saying that nothing can be done about it.
>
> I hope bacula's designer will take care of that, because it IS
an issue.
>
> Meanwhile your should, at least, worry about your bacula server and
> your network hardening , because you really need it.
>
> I suggest you the use of VPN tunnels.
>
>
------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012,
more!
> Discover the easy way to master current and previous Microsoft
technologies
> and advance your career. Get an incredible 1,500+ hours of
step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
>
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> Bacula-devel mailing list
> Bacula-devel@lists.sourceforge.net
<mailto:Bacula-devel@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/bacula-devel
>
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft
technologies
and advance your career. Get an incredible 1,500+ hours of
step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
<mailto:Bacula-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/bacula-devel
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
