Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Restricting who can restore data from which system to where

2012-10-31 18:26:40
Subject: Re: [Bacula-users] Restricting who can restore data from which system to where
From: lst_hoe02 AT kwsoft DOT de
To: bacula-users AT lists.sourceforge DOT net
Date: Wed, 31 Oct 2012 23:22:53 +0100 
Zitat von r.schuitemaker AT kpn DOT com:

>>> To solve things,  I've tried setting ACL's in the Console  
>>> statement like this:
>>>
>>> Console {
>>>   Name = Almond
>>>   Password = ""
>>>   ClientACL = Almond
>>>   StorageACL = Almond_Storage
>>>   PoolACL = Almond_Pool
>>> }
>>>
>>> But this doesn't work. I thought this would limit the client as
>>> defined in Client { Name= Almond.....}  to access only the listed
>>> storage and pools (which would be great, as almond has it's own
>>> reserved pool), but it doesn't do that. I think I may be interpreting
>>> the manual the wrong way. I've googled and found several other people
>>> asking the same question, but no working answers.
>
>> The Console statement in bacula-dir.conf isn't designed to match a  
>> named Client statement.  You need to put a special bconsole.conf on  
>> the client, so that it uses the Console directive in the  
>> bacula-dir.conf.
>
>> See the restricted-user examples here:
>
>> http://www.bacula.org/5.2.x-manuals/en/main/main/Console_Configuration.html
>
>> __Martin
>
> Martin,
>
> Thanks for your answer, but that doesn't fully solve my issue. The  
> root user on client A can modify his own bconsole.conf, so any  
> security that depends on bconsole.conf isn't security. I only want  
> to trust those clients like a bank trusts it's safety deposit box  
> holders: I trust client A with the files from Client A and with  
> Client A's password, but I don't trust Client A with Client B's  
> files, just like the bank will trust Client A with the key to his  
> box, but not with the key to Mr. B's box.  I'd like the security to  
> be thus that only client A can access client A's files, and nothing  
> more. I don't see how I can accomplish that by using only a  
> bconsole.conf on the client side. Is there any other way that you  
> know of?

You might have a look at data encryption. With one certificate/key  
pair per machine only the matching key owner will be able to restore  
files.

Regards

Andreas



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Splitting a job into two parallel jobs, lst_hoe02
Next by Date:  Re: [Bacula-users] Re-2: Sending spooled attrs to the Director takes a long time, lst_hoe02
Previous by Thread:  Re: [Bacula-users] Restricting who can restore data from which system to where, Martin Simmons
Next by Thread:  [Bacula-users] Bacula start no Jobs, "Jürgen Ecker"
Indexes:  [Date] [Thread] [Top] [All Lists]