Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Bat and ACL

2009-05-27 05:52:24
Subject: Re: [Bacula-users] Bat and ACL
From: Arno Lehmann <al AT its-lehmann DOT de>
To: bacula-users AT lists.sourceforge DOT net
Date: Wed, 27 May 2009 11:47:57 +0200 
Hi,

27.05.2009 11:29, Silver Salonen wrote:
> On Wednesday 27 May 2009 11:34:43 Arno Lehmann wrote:
>> Hi,
>>
>> 27.05.2009 09:59, Silver Salonen wrote:
>>> Hello.
>>>
>>> Does anyone know what's the optimal/minimal ACL for a user using Bat? I 
> know 
>>> that wx-console used commands .status, .clients etc.
>>>
>>> What commands are needed by Bat to be usable?
>> I'm not sure... probably all the commands, including all the .commands.
>>
>> The problem I see is that BAT is, currently, not designed to handle 
>> restricted access.
>>
>> You'd probably have better results if you don't limit BATs access by 
>> commands, but to limited pools, clients, etc.
>>
>> As far as I know, BAT reads the known resources on startup. If it 
>> doesn't see some pools, for example, it will not try to work with 
>> those. If, on the other hand, it know about all pools, and gets errors 
>> from some commands it passes to the DIR, chances are that BAT will 
>> simply crash.
>>
>> Good luck!
>>
>> Arno
> 
> Thanks for the suggestions!
> 
> I compared admin-ran Bat's commands to the user-ran one and figured out the 
> missing commands.
> 
> I ended up with such ACL for commands:
> ==========
> CommandACL = status, run, .status, restore, list, help, query, .filesets, 
> .storage, .defaults, .messages, .backups, .api, .jobs, .clients, .filesets, 
> .msgs, .pools, .storage, .types, .levels, .sql, .mod
> ==========
> 
> Now everything seems to work quite OK, but when I try to restore a file from 
> Version Browser, I'm taken to the restore-window, but then I get an error:
> ==========
> bat: console/console.cpp:560 send: .mod restoreclient="black-fd" 
> fileset="Full 
> Set" storage="storage-black" replace="always" when="2009-05-27 12:20:47" 
> bootstrap="/var/db/bacula/bkp-dir.restore.5.bsr" 
> where="/mnt/da1/bacula/restores" priority="10" yes
> 
> bat: console/console.cpp:585 DisplaytoPrompt
> bat: console/console.cpp:628 got: No authoriztion for "where" specification.
> ==========
> 
> Any idea where this authorization problem can be fixed?

WhereACL probably.

> 
> PS. As server has to accept a ".sql" command from Bat and it seems that it 
> just executes any SQL-commands based on that, it's quite a dangerous command 
> to allow - a modified version of Bat or any other client could then do 
> anything with the database, couldn't it?

Right... one of the reasons I think the ACLs are not very helpful to 
limit access for BAT.

Some others may be annoying but are not necessarily dangerous - 
umount, for example.

Arno
> --
> Silver
> 

-- 
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de

------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com 
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Bat and ACL, Silver Salonen
Next by Date:  [Bacula-users] Bacula project voting results, Kern Sibbald
Previous by Thread:  Re: [Bacula-users] Bat and ACL, Silver Salonen
Next by Thread:  Re: [Bacula-users] Bat and ACL, Silver Salonen
Indexes:  [Date] [Thread] [Top] [All Lists]