On 9/9/2013 3:23 PM, Kern Sibbald wrote:
On 09/09/2013 05:22 PM, Steve Lee wrote:
I'll definitely take a look at the restricted console/ACL capability
which seems pretty useful.
I guess it wont help though in the case where the server running the
director has been compromised and a user can create bacula config
files and run the console locally.
Yes, in the case of the Director's machine being compromised, you are
really in trouble. :-(
Indeed! And quite frankly, a ScriptsDirectory, in the case of a
compromised Director machine, is of little consolation, considering that
a compromised Director machine would allow the attacker to restore and
steal any backed up file from any and all clients.
Fortunately, Steve is running Bacula Dir and SD in a Xen VM. I do much
the same thing, but with KVM. In this scenario, there is no reason to
have any listening ports open except Bacula's ports and SSH. With only 3
open ports, all using TLS, I consider it about as safe as is possible to
be. It would be far easier to attack the client directly, therefore I
consider the chance that Bacula can be used as an attack vector to be
extremely low.
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
