I'll definitely take a look at the restricted console/ACL capability which
seems pretty useful.
I guess it wont help though in the case where the server running the director
has been compromised and a user can create bacula config files and run the
console locally.
The scripts directory restriction sounds like the best solution.
Thanks again.
Steve
________________________________
From: Kern Sibbald <k...@sibbald.com>
Sent: 09 September 2013 12:29
To: Steve Lee
Cc: Blake Dunlap; bacula-devel@lists.sourceforge.net
Subject: Re: [Bacula-devel] Client run before security concern
Hello,
Thanks for using Bacula :-)
See my note below ...
On 09/09/2013 11:07 AM, Steve Lee wrote:
Thanks for the replies.
Let me just say that Bacula is a great piece of software and we are using it in
7 production environments for our customers without any significant issues.
Our security architecture is based on separation of functions into separate VMs
using xen. Thus we have a mail server, a file server and a bacula director
server etc. This means that if one server is compromised, we can limit the
damage. We can also limit access to users by function (e,g, a user who can run
backups, a user who mantain AD etc).
Being able to remotely run any command on any machine from bacula breaks this
security.
I would put one minor qualification on the above statement that Bacula allows
any
user to run any *job*, if you have not setup Bacula ACLs and restricted
consoles.
In any case, if a user can run a given job on a given client, it is possible
that Bacula
can implement any command on that given machine only provid14250ed:
1. You have defined a run script that will run on that machine in the
bacula-dir.conf file.
2. The script that it access on the client machine will be executed, but
if you set it up correctly, it cannot be changed by users.
Thus the Bacula sys admin should (unless I am missing something) be in
control of what runs and on what machine.
In the next version, though it is not currently implemented, I plan to have
a ScriptsDirectory directive in the FD conf file that will limit run scripts to
always
run from that specific directory, which will permit even tighter control on
the security aspects of run scripts.
I have successfully used command locked ssh run before (director) commands
instead on run before client commands to get around some restrictions (timeout)
and I guess this might be a (painful) solution if run before client could be
disabled. Ideally though, a capability like command locked ssh is what is
needed.
Command locked ssh can be a very useful tool, but without a lot of
work, it is not as fine grained as restricted consoles.
Best regards,
Kern
Regards
Steve Lee
________________________________
From: Blake Dunlap <iki...@gmail.com><mailto:iki...@gmail.com>
Sent: 07 September 2013 00:50
To: Kern Sibbald
Cc:
bacula-devel@lists.sourceforge.net<mailto:bacula-devel@lists.sourceforge.net>
Subject: Re: [Bacula-devel] Client run before security concern
I could see where this could come into play in compliance and mutli-tenant
situations.
It wouldn't hurt to have access masks on the client side as far as allowed
directories and / or functions like run commands, maybe even a way to set the
client read-only without explicit client action like turning it back off first
in the client config. That would fix a lot of the potential issues that are
left after encryption I suspect when the backup team is not considered a
trusted actor.
For reference, spacewalk / RHN do this already to a degree with the client
commands. The client does not consider the central point as a trusted actor and
they must be explicitly enabled.
-Blake
On Fri, Sep 6, 2013 at 5:27 PM, Kern Sibbald
<k...@sibbald.com<mailto:k...@sibbald.com>> wrote:
Bacula is designed with as much security in mind as
I knew/know about. Perhaps you haven't yet had the time
to read the manual, but aside from not letting a "user" get access
to the Director, you can encrypt all the communications, you can
also run the FD in backup only mode, and restart it in read/write mode
if you want to restore something. There are many other things
you can do as well.
In most cases, it is easier to get root access to a Linux
system than it is to exploit a properly configured Bacula,
especially if you are running a web server on your machine.
If a user has root access he doesn't need Bacula
to get what he wants.
If you have some specific suggestions for improving
Bacula's security (and I suspect there are many things
to do, some of which I am implementing now), I suggest
you mention them.
Kern
On 09/06/2013 08:18 PM, stefano scotti wrote:
> 2013/9/6, Kern Sibbald <k...@sibbald.com<mailto:k...@sibbald.com>>:
>> Hello,
>>
>> The only security issue is that a "user" should not have access
>> to the Bacula Director. Only qualified sys admins should have
>> such access.
>>
>> Best regards,
>> Kern
>>
>>
> That's not true.
>
> There are other security issues related to the fact that TCP bacula
> stream could be altered by malicious attackers using one or more of
> the network attacks known today (and they are a lot).
>
> The problem here is that bacula on client machines has more permission
> than it needs, and this vulnerability could be exploited even if the
> attacker is not able to exploit the bacula server system. This is a
> fact.
>
> And even if it wasn't like that, let's suppose (a false thing) that
> the attack could start only by exploting the bacula server machine.
> Can you please tell me why an exploted system has to have freely
> access to the keys which could exploit every system of its network?
> Is it right to considering Bacula the centralized point of security of
> an entire network system? what if it fails?
>
> Accountability and access control are main security matters, and
> currently Bacula isn't implementing them very well on this specific
> question.
>
> We shouldn't justify the current architecture just because it is
> easier to maintain it in the way it is.
> I'm not saying that designing some sort of criteria which limits
> bacula permissions is an easy task, we everybody know that security
> itself is not an easy task.
>
> But i'm sure of a thing, it could be done, and it could be done well
> if somebody focuses in that.
> I'm sure of another thing, it will never be better if everybody will
> keep saying that nothing can be done about it.
>
> I hope bacula's designer will take care of that, because it IS an issue.
>
> Meanwhile your should, at least, worry about your bacula server and
> your network hardening , because you really need it.
>
> I suggest you the use of VPN tunnels.
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> Bacula-devel mailing list
> Bacula-devel@lists.sourceforge.net<mailto:Bacula-devel@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/bacula-devel
>
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net<mailto:Bacula-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/bacula-devel
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
