Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Bacula security

2013-07-01 10:27:57
Subject: Re: [Bacula-users] Bacula security
From: Jérôme Blion <jerome.blion AT free DOT fr>
To: bacula-users AT lists.sourceforge DOT net
Date: Mon, 01 Jul 2013 16:25:06 +0200 
Le 2013-07-01 15:53, Martin Simmons a écrit :
>>>>>> On Mon, 01 Jul 2013 15:25:23 +0200, Jérôme Blion said:
>> 
>> Le 2013-07-01 13:07, Martin Simmons a écrit :
>>> Bacula does have root read (and write) privileges on every backed-up
>>> system,
>>> but you can encrypt the backups before sending them to the central
>>> server.
>>> Bacula can also sign the backups, so the client can verify that a
>>> restore
>>> doesn't contain modified data.  You still have to keep the
>>> encryption/signing
>>> keys secure of course.
>>> 
>>> __Martin
>> 
>> 
>> If the bacula server is compromised and the attacker gains root
>> privileges on the Bacula director, it can modify any client's job to 
>> run
>> a specific command to gain access (unprivileged or not)
>> In this kind of architecture, securing the director from unauthorized
>> access is primordial and needs to take the necessary time to do it
>> properly.
>> 
>> If you don't grant privileges to clients (console access and so on),
>> they can be safely compromised (sigh). At worst, you will back up 
>> wrong
>> files. If they have a console access to the director, you must ensure
>> they can't do harm to your system or your files (restoring files from 
>> a
>> confidential system on a public one, for example)
> 
> The latter case is secured by encrypting the backups (since the key is 
> only on
> the correct client).
> 
> You are right are the risk of compromise of the client though -- it 
> looks like
> there is no way to force the FD to only restore from signed backups.
> 
> __Martin

Hello,

It can be secured via ACL too.
You can manage what a client has access to.

And so, ensure no critical data pieces can be stolen through that way.

HTH.
Jerome Blion.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Bacula security, Martin Simmons
Next by Date:  Re: [Bacula-users] Bacula security, Martin Simmons
Previous by Thread:  Re: [Bacula-users] Bacula security, Martin Simmons
Next by Thread:  Re: [Bacula-users] Bacula security, Martin Simmons
Indexes:  [Date] [Thread] [Top] [All Lists]