Hi,
27.05.2009 11:29, Silver Salonen wrote:
> On Wednesday 27 May 2009 11:34:43 Arno Lehmann wrote:
>> Hi,
>>
>> 27.05.2009 09:59, Silver Salonen wrote:
>>> Hello.
>>>
>>> Does anyone know what's the optimal/minimal ACL for a user using Bat? I
> know
>>> that wx-console used commands .status, .clients etc.
>>>
>>> What commands are needed by Bat to be usable?
>> I'm not sure... probably all the commands, including all the .commands.
>>
>> The problem I see is that BAT is, currently, not designed to handle
>> restricted access.
>>
>> You'd probably have better results if you don't limit BATs access by
>> commands, but to limited pools, clients, etc.
>>
>> As far as I know, BAT reads the known resources on startup. If it
>> doesn't see some pools, for example, it will not try to work with
>> those. If, on the other hand, it know about all pools, and gets errors
>> from some commands it passes to the DIR, chances are that BAT will
>> simply crash.
>>
>> Good luck!
>>
>> Arno
>
> Thanks for the suggestions!
>
> I compared admin-ran Bat's commands to the user-ran one and figured out the
> missing commands.
>
> I ended up with such ACL for commands:
> ==========
> CommandACL = status, run, .status, restore, list, help, query, .filesets,
> .storage, .defaults, .messages, .backups, .api, .jobs, .clients, .filesets,
> .msgs, .pools, .storage, .types, .levels, .sql, .mod
> ==========
>
> Now everything seems to work quite OK, but when I try to restore a file from
> Version Browser, I'm taken to the restore-window, but then I get an error:
> ==========
> bat: console/console.cpp:560 send: .mod restoreclient="black-fd"
> fileset="Full
> Set" storage="storage-black" replace="always" when="2009-05-27 12:20:47"
> bootstrap="/var/db/bacula/bkp-dir.restore.5.bsr"
> where="/mnt/da1/bacula/restores" priority="10" yes
>
> bat: console/console.cpp:585 DisplaytoPrompt
> bat: console/console.cpp:628 got: No authoriztion for "where" specification.
> ==========
>
> Any idea where this authorization problem can be fixed?
WhereACL probably.
>
> PS. As server has to accept a ".sql" command from Bat and it seems that it
> just executes any SQL-commands based on that, it's quite a dangerous command
> to allow - a modified version of Bat or any other client could then do
> anything with the database, couldn't it?
Right... one of the reasons I think the ACLs are not very helpful to
limit access for BAT.
Some others may be annoying but are not necessarily dangerous -
umount, for example.
Arno
> --
> Silver
>
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|