On 09/09/2013 20:23, Kern Sibbald wrote: > On 09/09/2013 05:22 PM, Steve Lee wrote: >> I'll definitely take a look at the restricted console/ACL capability >> which seems pretty useful. >> I guess it wont help though in the case where the server running the >> director has been compromised and a user can create bacula config >> files and run the console locally. > > Yes, in the case of the Director's machine being compromised, you are > really in trouble. :-(
Hi, I raised a couple of feature requests last year to address compromise/abuse of the system and/or Director - see below. Regards, Richard -------- Item 1: Read-only mode for file daemon Origin: Richard Tector <rich...@tector.org.uk> Date: 12th Feb 2012 Status: What: The ability to configure the file daemon to operate in a read-only mode, ie. refuse to run restore jobs. This would ideally be set in the daemon's configuration file, either as a list of 'allowed' job types (Backup/Verify) as a simple read-only knob. Why: In the event of the server running the Bacula Director service being compromised, having distributed file daemons in a read-only mode would stop critical files from being overwritten remotely and so leading to additional system compromises. In the event of a file restore being required, the read-only knob could be flipped locally on a temporary basis. Notes: Whilst the file daemon does have a '-k' option, this is not reliably cross-platform. Additionally it is not always feasible to reduce the privileges of the bacula user and then use file system ACLs to limit write privileges. This feature request obviously does not remove the risk from the file daemon being compromised. Item 2: File daemon directory restrictions Origin: Richard Tector <rich...@tector.org.uk> Date: 12th Feb 2012 Status: What: The ability within the file daemon configuration to restrict which directories can be accessed by a remote Director for backup/restore jobs, etc. Why: A system may have sensitive data on it that does not require backing up with Bacula. These files/directories may be backed up either to a different Director/File daemon or through another method. The ability to set restrictions would reduce the risk of data leakage in the event that the Director is compromised. Notes: As with the former feature request, it is not always feasible or desired to restrict access through the use of file system access controls. Again, this feature would not mitigate against file daemon compromise. ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Bacula-devel mailing list Bacula-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-devel
