Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Restricting who can restore data from which system to where

2012-10-20 07:29:36
Subject: Re: [Bacula-users] Restricting who can restore data from which system to where
From: Geert Stappers <Geert.Stappers AT vanadgroup DOT com>
To: "bacula-users AT lists.sourceforge DOT net" <bacula-users AT lists.sourceforge DOT net>
Date: Sat, 20 Oct 2012 13:27:04 +0200 
Op 20121019 om 18:13 schreef Martin Simmons:
> >>>>> On Wed, 17 Oct 2012 17:24:06 +0200,   said:
> > 
> > To solve things,  I've tried setting ACL's in the Console statement like 
> > this:
> > 
> > Console {
> >   Name = Almond
> >   Password = ""
> >   ClientACL = Almond
> >   StorageACL = Almond_Storage
> >   PoolACL = Almond_Pool
> > }
> > 
> > But this doesn't work. I thought this would limit the client as defined in
> > Client { Name= Almond.....}  to access only the listed storage and pools
> > (which would be great, as almond has it's own reserved pool), but it doesn't
> > do that. I think I may be interpreting the manual the wrong way. I've
> > googled and found several other people asking the same question, but no
> > working answers.
> 
> The Console statement in bacula-dir.conf isn't designed to match a named
> Client statement.  You need to put a special bconsole.conf on the client, so
> that it uses the Console directive in the bacula-dir.conf.
> 
> See the restricted-user examples here:
> 
> http://www.bacula.org/5.2.x-manuals/en/main/main/Console_Configuration.html
> 
> __Martin
> 

To cover the
> > I can even create my own /etc/passwd and /etc/shadow on my own system
> > “pine”,with my passwords for known accounts, make a backup of it,
> > then use the above method to “restore” it to the almond server,
> > thereby disallowing authorized users (as their accounts will be gone)
> > and allowing myself access (as I have all users/passwords).

I want to add
   http://www.bacula.org/5.2.x-manuals/en/main/main/New_Features_in_5_0_0.html
to this thread, where
| Read-only File Daemon using capabilities
| 
| This feature implements support of keeping ReadAll capabilities
| after UID/GID switch, this allows FD to keep root read but drop write
| permission.
| 
| It introduces new bacula-fd option (-k) specifying that ReadAll
| capabilities should be kept after UID/GID switch.
| 
|   root@localhost:~# bacula-fd -k -u nobody -g nobody
| 
| The code for this feature was contributed by our friends at AltLinux.
is said.


Cheers
Geert Stappers
-- 
http://www.vanadcimplicity.com
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Understanding and configuring Bacula retentions, Dan Langille
Next by Date:  Re: [Bacula-users] Summary - Tweak SCSI negotiation settings, Wolfgang Denk
Previous by Thread:  Re: [Bacula-users] Restricting who can restore data from which system to where, Martin Simmons
Next by Thread:  Re: [Bacula-users] Restricting who can restore data from which system to where, r.schuitemaker
Indexes:  [Date] [Thread] [Top] [All Lists]