Hi,
14.11.2008 11:15, Personal Técnico wrote:
> Hello,
>
> I'm trying to configure a "secure" bwx-console.conf file. Files in my
> Server and Client are configured as you can see here:
>
> SERVER:
>
> bacula-dir.conf:
>
> Director {
> Name = server_name
> DIRport = 9101
> QueryFile = "/etc/bacula/query.sql"
> WorkingDirectory = "/var/lib/bacula"
> PidDirectory = "/var/run/bacula"
> Maximum Concurrent Jobs = 3
> Password = "password"
> Messages = Daemon
> DirAddress = IP_Address # :)
> }
>
> Console {
> Name = usuarios
> Password = "abcde"
> JobACL = Backup-clientA, RestoreFiles
> ScheduleACL = *all*
> ClientACL = clientA-fd
> FileSetACL = Usuario-Windows
> CatalogACL = Catalogo-USUARIOS
> CommandACL =
>
> setdebug,cancel,disable,estimate,help,messages,restore,run,status,exit,.backups,.clients,.defaults,.exit,.filesets,.help,.jobs,.messages,.pools,.quit,.status,.storage
> StorageACL = *all*
> PoolACL = Incr_USUARIOS
> }
>
>
> CLIENT:
>
> bwx-console.conf:
>
> Director {
> Name = server_name
> DIRport = 9101
> address = IP_Address
> Password = "xxxxx" # an incorrect password!!
> }
>
> Console {
> Name = usuarios
> Password = "abcde" # the same password there is in the
> bacula-dir.conf
> }
>
> bacula-fd.conf:
>
> FileDaemon {
> Name = clientA-fd
> FDport = 9102 # where we listen for the director
> WorkingDirectory = "C:\\Documents and Settings\\All
> Users\\Datos de programa\\Bacula\\Work"
> Pid Directory = "C:\\Documents and Settings\\All Users\\Datos
> de programa\\Bacula\\Work"
> Maximum Concurrent Jobs = 1
> }
>
> #
> # List Directors who are permitted to contact this File daemon
> #
> Director {
> Name = server_name
> Password = "password"
> Address = IP_Address
> }
>
> #
> # Restricted Director, used by tray-monitor to get the
> # status of the file daemon
> #
> Director {
> Name = clientA-mon
> Password = "password"
> Monitor = yes
> }
>
> Messages {
> Name = Standard
> director = server_name = all, !skipped, !restored
> }
>
>
> With this configuration, users can do only command listed in
> "CommandACL" (it is OK!!), but if a user modify his files and removes
> Console in bwx-console and changes password value (he can see in
> bacula-fd.conf that password is "password"), he obtain a full console...
> If I changes passowd value in "bacula-fd.conf" by a wrong value, client
> can't connect, even console values in bwx-console.conf...
>
> How can I configure server and client for avoid user manipulation and
> avoid a "normal" user to get a full console??
Hmm... you could make the bwx-console.conf unwriteable by regular
users. Also ensure they can not restore files to anywhere except their
home directories, so they can't simply overwrite it with a copy they
create themselves.
The remaining problem is to make sure they don't call bwx-console -c
C:\path\to\users\directory\bwx-console.conf' ... I don't see how you
can prevent this without changing bwx-console's code, though.
Arno
> Thanks..
>
> P.D.: bufff, my english is poooooooor...
PS: Good enough.
>
> ------------------------------------------------------------------------
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|