Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] FD feature requests

2012-02-14 13:48:04
Subject: [Bacula-users] FD feature requests
From: Richard Tector <richard AT tector.org DOT uk>
To: bacula-devel AT lists.sourceforge DOT net, bacula-users AT lists.sourceforge DOT net
Date: Tue, 14 Feb 2012 18:46:03 +0000 
Item 1:   Read-only mode for file daemon
   Origin: Richard Tector <richard AT tector.org DOT uk>
   Date:   12th Feb 2012
   Status:

   What:   The ability to configure the file daemon to operate in a
read-only mode, ie. refuse to run restore jobs. This would ideally be
set in the daemon's configuration file, either as a list of 'allowed'
job types (Backup/Verify) as a simple read-only knob.

   Why:    In the event of the server running the Bacula Director
service being compromised, having distributed file daemons in a
read-only mode would stop critical files from being overwritten remotely
and so leading to additional system compromises. In the event of a file
restore being required, the read-only knob could be flipped locally on a
temporary basis.

   Notes:  Whilst the file daemon does have a '-k' option, this is not
reliably cross-platform. Additionally it is not always feasible to
reduce the privileges of the bacula user and then use file system ACLs
to limit write privileges.
This feature request obviously does not remove the risk from the file
daemon being compromised.


Item 2:   File daemon directory restrictions
   Origin: Richard Tector <richard AT tector.org DOT uk>
   Date:   12th Feb 2012
   Status:

   What:   The ability within the file daemon configuration to restrict
which directories can be accessed by a remote Director for
backup/restore jobs, etc.

   Why:    A system may have sensitive data on it that does not require
backing up with Bacula. These files/directories may be backed up either
to a different Director/File daemon or through another method. The
ability to set restrictions would reduce the risk of data leakage in the
event that the Director is compromised.

   Notes:  As with the former feature request, it is not always feasible
or desired to restrict access through the use of file system access
controls. Again, this feature would not mitigate against file daemon
compromise.

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Bacula-users] FD feature requests, Richard Tector <=
Previous by Date:  Re: [Bacula-users] Set real size cartridge in bacula, John Drescher
Next by Date:  [Bacula-users] I want to build bacula-fd on Tru64, 송태환
Previous by Thread:  [Bacula-users] Bacula Events and Python Scripting, Mingus Dew
Next by Thread:  [Bacula-users] I want to build bacula-fd on Tru64, 송태환
Indexes:  [Date] [Thread] [Top] [All Lists]