[Bug 222558] Re: password in bacula-fd.conf is not auto-generated
This bug was fixed in the package bacula - 2.4.3-1ubuntu1 --- bacula (2.4.3-1ubuntu1) jaunty; urgency=low * Store sd|fd|director passwords in debconf (LP: #222558) - added debian/bacula-common.templates - modified debian/bacula-common.postinst: + generate random passwords and store them in debconf - modified debian/bacula-[sd|fd|director-mysql|director-pgsql].postinst + read and set passwords from debconf * Daemons listen on all interfaces (LP: #286643) * Start daemons on installation * Build with generic XXX_*_XXX username, password and database name and replace it with dbconfig's settings in postinstall scripts * Merge from debian unstable, remaining changes: - Drop mt-st to suggests. So that bacula goes back to main. (LP: #286528) - debian/rules: Disable fortify source since it was causing bacula-director to segfault. - debian/control: + Added libdbi-perl and libdb-mysql-perl to depends for bacula-director-mysql due to new postinst configuration. + Cleaned up bacula-director-pgsql dependenices and recommends. + Made mysql the default director to install bacula-director-{mysql|pgsql} added database handling to postinstall scripts and templates, modifiied postinstall script's sed expressions. + Removed libwgtk-2.6-dev as a build dependency; as a result bacula-console-wx isn't built anymore. + Install gawk if not installed. (LP: #207527) - debian/make_catalog_backup_awk.[mysql|pgsql|sqlite3|sqlite]: + New scripts for catalog backup. (CVE-2007-5626) - debian/bacula-console-wx: + Dropped since we are not building them anymore. - debian/bacula-director-common.bacula-director.init, debian/bacula-fd.init, debian/bacula-sd.init + Made more LSB specific. -- Ante Karamatic [EMAIL PROTECTED] Wed, 26 Nov 2008 13:53:30 +0100 ** Changed in: bacula (Ubuntu) Status: Confirmed = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-5626 -- password in bacula-fd.conf is not auto-generated https://bugs.launchpad.net/bugs/222558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bacula in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 222558] Re: password in bacula-fd.conf is not auto-generated
I'll mark this bug as 'medium' at the moment. But this should be resolved as soon as possible. Kern, of course, any code would be welcome. It's clear that we should generate password on postinstall of package, not during compile-time. ** Changed in: bacula (Ubuntu) Importance: Undecided = Medium Status: New = Confirmed -- password in bacula-fd.conf is not auto-generated https://bugs.launchpad.net/bugs/222558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bacula in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 222558] Re: password in bacula-fd.conf is not auto-generated
On Wednesday 24 September 2008 11:13:20 Ante Karamatić wrote: I'll mark this bug as 'medium' at the moment. But this should be resolved as soon as possible. Kern, of course, any code would be welcome. It's clear that we should generate password on postinstall of package, not during compile-time. ** Changed in: bacula (Ubuntu) Importance: Undecided = Medium Status: New = Confirmed I am not (yet) a Debian packaging expert, so I asked the Bacula .deb guy (Eric), and this is his response. Sorry for emailer wrapping, but you can probably figure it out. On Wednesday 24 September 2008 16:18:58 you wrote: Hello Eric, Do you have some .deb magic I could send off to the Ubuntu Bacula maintainers so that they can generate random passwords when installing Bacula? I use the bacula-common configuration script (debian/bacula-common.config) to compute and store random password for all bacula packages. (my template file is ok too) if ! db_get bacula/director_passwd; then db_set bacula/director_passwd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c33) db_set bacula/director_mpasswd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c33) db_set bacula/fd_passwd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c33) db_set bacula/fd_mpasswd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c33) db_set bacula/sd_passwd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c33) db_set bacula/sd_mpasswd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c33) fi After that, i use special strings to replace password in configuration file (like for RPM) ./configure ... --with-dir-password=XXX_REPLACE_WITH_DIRECTOR_PASSWORD_XXX \ --with-fd-password=XXX_REPLACE_WITH_CLIENT_PASSWORD_XXX \ --with-sd-password=XXX_REPLACE_WITH_STORAGE_PASSWORD_XXX \ --with-mon-dir-password=XXX_REPLACE_WITH_DIRECTOR_MONITOR_PASSWORD_XXX \ --with-mon-fd-password=XXX_REPLACE_WITH_CLIENT_MONITOR_PASSWORD_XXX \ --with-mon-sd-password=XXX_REPLACE_WITH_STORAGE_MONITOR_PASSWORD_XXX \ At the end, i just have to replace XXX_...XXX strings by what we have computed in each package.postinst script. db_get bacula/director_mpasswd db_dir_mpass=$RET db_get bacula/fd_mpasswd db_fd_mpass=$RET db_get bacula/sd_mpasswd db_sd_mpass=$RET db_stop sed \ -e s%XXX_REPLACE_WITH_DIRECTOR_MONITOR_PASSWORD_XXX%$db_dir_mpass% \ -e s%XXX_REPLACE_WITH_STORAGE_MONITOR_PASSWORD_XXX%$db_sd_mpass% \ -e s%XXX_REPLACE_WITH_CLIENT_MONITOR_PASSWORD_XXX%$db_fd_mpass% \ $SRCDIR/$CONFIG $TARGET At the end, if you configure FD/SD/DIR/Console on the same box, all your passwords will be ok. They have also to remove the XXAddress = 127.0.0.1 from all configuration file. -- password in bacula-fd.conf is not auto-generated https://bugs.launchpad.net/bugs/222558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bacula in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 222558] Re: password in bacula-fd.conf is not auto-generated
I was not aware of this bug (sorry, I should look at them all), but I think I can shed some light on it and even provide the code necessary to fix it. Basically the user is saying that each Bacula daemon generated needs a shared secrete random password used for authentication, and these passwords *must* be generated at install time to be unique. I have not looked at your packages but I believe that you inherited them from Debian where I have reported this problem. The passwords that you release in the bacula-xx.conf files are generated by Bacula at build time, and thus are installed on all systems, and hence are not secure, and this applies to all versions of Bacula that you have packaged. If you have explicitly added code in the install process that generates random passwords, then this bug should be closed, otherwise, it should be left open and marked as a security problem. Note, this is a packaging problem. Bacula generates random passwords during the ./configure process, so everything is consistent, but once it is packaged, the packager needs to create similar code to the Bacula ./configure so that all installations will have different passwords. If you want, I can provide you with sample code suitable to put in your installation packages. -- password in bacula-fd.conf is not auto-generated https://bugs.launchpad.net/bugs/222558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bacula in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 222558] Re: password in bacula-fd.conf is not auto-generated
We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again! ** Changed in: bacula (Ubuntu) Status: Incomplete = Invalid -- password in bacula-fd.conf is not auto-generated https://bugs.launchpad.net/bugs/222558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bacula in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs