Re: [Bacula-users] restricted consoles and uids
2016-02-24 19:55:09
----- Original Message -----
> From: "Peter Keller" <pkeller AT sift DOT net>
> To: "Heitor Faria" <heitor AT bacula.com DOT br>
> Cc: "Bacula Users List" <bacula-users AT lists.sourceforge DOT net>
> Sent: Wednesday, February 24, 2016 9:39:13 PM
> Subject: Re: [Bacula-users] restricted consoles and uids
> Hello,
>
> On 02/24/2016 05:50 PM, Heitor Faria wrote:
>> *Minor correction:
>>
>> cat /usr/sbin/baculejo
>> =========================>8 Cut Here >8===========================
>> DIR_NAME=hfaria-K46CB-dir
>> DIR_ADDRESS=localhost
>>
>> echo " Director {
>> Name = $DIR_NAME
>> DIRport = 9101
>> Address = $DIR_ADDRESS
>> Password = "xxxx"
>> }
>>
>> Console {
>> Name = $USER
>> Password = "password"
>> }" > /tmp/baculejo.conf
>>
>> bconsole -c /tmp/baculejo.conf
>
> I see why this works, but it tells me there is no way in bacula
> to perform the configuration in question without resorting to
> either a wrapper script, some other out of band solution, or
> implementing code in bacula. Also, all users would have the
> same Password, and there would be nothing stopping them from
> just writing a baculejo.conf for root and escalating
> themselves into administrative privileges in bacula's console.
Hello, Peter. You are right in all your affirmatives.
'root' was just one example, but I though you would use less generic users for
this solution. I think you can improve the security issues of this script,
e.g., replacing the $USER for CONUSER=$(id -u -n) making harder for user
spoofing. If you have all workstation secure authenticated in your directory
service (assuming you have one) I think you can improve the security even more.
Besides that I think UI with directory service integration would be Bacula
Enterprise Bweb or any Apache one (Webacula, baculum etc.).
Where you see 'band solutions' I see lot's of possibilities. Perhaps not the
free plug'n'play one you were expecting. =)
> Thank you.
>
> -pete
Regards,
--
===========================================================================
Heitor Medrado de Faria - LPIC-III | ITIL-F | Bacula Systems Certified
Administrator II
Do you need Bacula training? http://bacula.us/video-classes/
+55 61 8268-4220
Site: http://bacula.us FB: heitor.faria
===========================================================================
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
|
|