Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Bacula security

2013-07-01 09:54:30
Subject: Re: [Bacula-users] Bacula security
From: Phil Stracchino <alaric AT metrocast DOT net>
To: bacula-users AT lists.sourceforge DOT net
Date: Mon, 01 Jul 2013 09:51:50 -0400 
On 07/01/13 09:11, Grant wrote:
>>>> Bacula does have root read (and write) privileges on every backed-up 
>>>> system,
>>>> but you can encrypt the backups before sending them to the central server.
>>>> Bacula can also sign the backups, so the client can verify that a restore
>>>> doesn't contain modified data.  You still have to keep the
>>>> encryption/signing
>>>> keys secure of course.
>>>
>>> Thanks for your help.  I don't think I have the b*lls to give root
>>> read/write on every system to the backup server. :)
>>>
>>> - Grant
>>
>> You are free to operate the FD (Client) with any permission you like,
>> but you have to take care that the FD is able to read anything you
>> like to backup and i case of restore it should be able to write and
>> maybe to "chown" the files in question.
> 
> I may have misunderstood before.  The FD runs on the client machines,
> correct?  Read and writing to localhost is no problem.  What worries
> me is one machine having root read(/write) permission on another
> machine.  Can bacula operate without that?

The Director does not connect to client machines at all except through
the FD.  So you have probably misunderstood something, yes.

That said, the Director can run more-or-less-arbitrary commands on the
client through the FD with the FD's privileges, and if you want Bacula
to be able to back up and restore all data on the system it must run  as
root, so if your Director is compromised, it can almost certainly be
used to gain access to the clients.  However, it should already go
without saying that your Director, since it has access to all the backup
data of all clients, needs to be carefully controlled.


-- 
  Phil Stracchino, CDK#2     DoD#299792458     ICBM: 43.5607, -71.355
  alaric AT caerllewys DOT net   alaric AT metrocast DOT net   phil AT 
co.ordinate DOT org
  Renaissance Man, Unix ronin, Perl hacker, SQL wrangler, Free Stater
                 It's not the years, it's the mileage.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Bacula security, Jérôme Blion
Next by Date:  Re: [Bacula-users] Bacula security, Martin Simmons
Previous by Thread:  Re: [Bacula-users] Bacula security, Grant
Next by Thread:  Re: [Bacula-users] Bacula security, Josh Fisher
Indexes:  [Date] [Thread] [Top] [All Lists]