[Bacula-users] Avoiding user file manipulation

Fri, 14 Nov 2008 02:18:04 -0800

Hello,

I'm trying to configure a "secure" bwx-console.conf file. Files in my Server and Client are configured as you can see here:

SERVER:
bacula-dir.conf:
Director {
  Name = server_name
  DIRport = 9101
  QueryFile = "/etc/bacula/query.sql"
  WorkingDirectory = "/var/lib/bacula"
  PidDirectory = "/var/run/bacula"
  Maximum Concurrent Jobs = 3
  Password = "password"
  Messages = Daemon
  DirAddress = IP_Address # :)
}
Console {
  Name = usuarios
  Password = "abcde"
  JobACL = Backup-clientA, RestoreFiles
  ScheduleACL = *all*
  ClientACL = clientA-fd
  FileSetACL = Usuario-Windows
  CatalogACL = Catalogo-USUARIOS
  CommandACL = setdebug,cancel,disable,estimate,help,messages,restore,run,status,exit,.backups,.clients,.defaults,.exit,.filesets,.help,.jobs,.messages,.pools,.quit,.status,.storage
  StorageACL = *all*
  PoolACL = Incr_USUARIOS
}

CLIENT:
bwx-console.conf:
Director {
  Name = server_name
  DIRport = 9101
  address = IP_Address
  Password = "xxxxx"   # an incorrect password!!
}

Console {
  Name = usuarios
  Password = "abcde"  # the same password there is in the bacula-dir.conf
}
bacula-fd.conf:
FileDaemon {  
  Name = clientA-fd
  FDport = 9102                # where we listen for the director
  WorkingDirectory = "C:\\Documents and Settings\\All Users\\Datos de programa\\Bacula\\Work"
  Pid Directory = "C:\\Documents and Settings\\All Users\\Datos de programa\\Bacula\\Work"
  Maximum Concurrent Jobs = 1
}

#
# List Directors who are permitted to contact this File daemon
#
Director {
  Name = server_name
  Password = "password"
  Address = IP_Address
}

#
# Restricted Director, used by tray-monitor to get the
#   status of the file daemon
#
Director {
  Name = clientA-mon
  Password = "password"
  Monitor = yes
}

Messages {
  Name = Standard
  director = server_name = all, !skipped, !restored
}

With this configuration, users can do only command listed in "CommandACL" (it is OK!!), but if a user modify his files and removes Console in bwx-console and changes password value (he can see in bacula-fd.conf that password is "password"), he obtain a full console...
If I changes passowd value in "bacula-fd.conf" by a wrong value, client can't connect, even console values in bwx-console.conf...

How can I configure server and client for avoid user manipulation and avoid a "normal" user to get a full console??

Thanks..

P.D.: bufff, my english is poooooooor...
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to