Review for Source Package: src:bacula
[Summary]
Bacula is a set of packages that offer a complete, enterprise-level data
backup, recovery and verification solution across a network of computers
of different kinds. It includes server components, client components and
database adapters. The deja-dup package might appear like an
alternative, on a naive text search, but bacula has a much wider scope
compared to it.
MIR team ACK under the constraint to resolve the below listed “Required
TODOs” and as much as possible having a look at the “Recommended TODOs”.
Due to a significant CVE history, this does need a security review. I'll
assign ubuntu-security. The Security team might need responses to #8 and
#9.
List of specific binary packages to be promoted to main: all
Specific binary packages built, but NOT to be promoted to main: None
Notes:
#0 The client components include a GUI-based administration console.
#1 The packages also include three daemons, one of which is run as root.
#2 Bacula also seems to support centralized accounts through LDAP BPAM.
#3 The reporter indicates that the Server team agrees to be subscribed
to the package.
Required TODOs:
#4 Please have a team subscribed to the package.
#5 It is mentioned that the Server team agrees to be subscribed. Please
confirm if the Server team also agrees to maintain the GUI-based console
package: bin:bacula-console-qt.
#6 Dependencies of bin:bacula-director-sqlite3 are not in main, as also
noted by the reporter. One among bin:dbconfig-sqlite3 and bin:dbconfig-
no-thanks will need to be promoted to main as a prerequisite.
#7 As also noted by the reporter, bacula-sd "Recommends" mt-st. The
latter needs to be dropped to "Suggests" or MIR'd.
#8 The bacula-fd.service daemon runs as root. Is this absolutely
essential or could this be run as a non-root user?
#9 There seems to be support for centralized online accounts through
LDAP-BPAM login support. Please confirm if LDAP-BPAM support is enabled
or disabled while building the package.
Recommended TODOs:
#10 The src:bacula package doesn’t have build-time tests. Please
consider adding a suite of simple build-time tests. Please document the
rationale if this is not feasible.
#11 Consider resolving the lintian warnings listed under the [Packaging
red flags] problems.
#12 Consider addressing the warnings and incautious uses of
malloc/sprintf mentioned under [Upstream red flags] problems.
[Rationale, Duplication and Ownership]
OK:
- There is no other package in main providing the same functionality.
- The rationale given in the report seems valid and useful for Ubuntu.
Problems:
- Please have a team subscribed to the package.
- Does the Server team also agree to maintain the GUI package:
bacula-console-qt ?
[Dependencies]
OK:
- src:bacula checked with check-mir
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- Dependencies of bin:bacula-director-sqlite3 are not in main
=> Package: bacula-director-sqlite3
Depends: dbconfig-sqlite3 | dbconfig-no-thanks
Both "dbconfig-sqlite3" and "dbconfig-no-thanks" are in universe
- bin:bacula-sd recommends mt-st which is in universe
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a Golang package
- not a Rust package
Problems: None
[Security]
OK:
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
=> opens ports 9101 (bacula-director), 9102(bacula-fd), 9103(bacula-sd)
- does not process arbitrary web content
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
=> uses openssl for cryptography operations
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features,
apparmor, ...)
=> uses restricted user/groups for most operations, bacula-fd seems to use
root/root
Problems:
- History of CVEs is quite significant
=> https://security-tracker.debian.org/tracker/source-package/bacula
=> Needs a a full security review
- The bacula-fd.service daemon runs as root
- Uses centralized online accounts
=> has a feature to support LDAP-based login
[Common blockers]
OK:
- does not FTBFS currently
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- not a Python package, but recommends python3
- not a Golang package
Problems:
- does not have a test suite that runs at build time
[Packaging red flags]
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
=> Though some of the packages contain shared libraries they seem to be
application-private, and not consumed externally.
- debian/watch is present and looks ok
- Upstream update history is slow
=> ~1 release every year
- Debian/Ubuntu update history is good
=> before 2024, it appears very sporadic, possibly related to the slow
upstream update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far maintained
the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems:
- Minor lintian warnings
W: bacula source: mismatched-override license-problem-non-free-RFC
src/lib/sha1.h [debian/source/lintian-overrides:5]
W: bacula-common: mismatched-override hardening-no-fortify-functions
[usr/lib/bacula/libbacfind-*.so] [usr/share/lintian/overrides/bacula-common:4]
W: bacula-client: old-fsf-address-in-copyright-file
W: bacula-common: old-fsf-address-in-copyright-file
W: bacula-director-mysql: old-fsf-address-in-copyright-file
W: bacula-director-pgsql: old-fsf-address-in-copyright-file
W: bacula-director-sqlite3: old-fsf-address-in-copyright-file
W: bacula-server: old-fsf-address-in-copyright-file
[Upstream red flags]
OK:
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
=> some bacula commands do need su powers
- no use of user 'nobody' outside of tests
- use of setuid, but ok because
=> the dird, filed and stored daemons use setuid/setgid to drop privilges
*when requested*
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- translations present
Problems:
- the upstream build configure and build has over 500 warnings
- quite a few incautious uses of malloc/sprintf found
=> examples: src/lib/bsys.c:1550, src/filed/fd_snapshot.c:1330,
src/stored/btape.c:2374
- Debian has one open bug classified "important"
=> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108272
** Bug watch added: Debian Bug tracker #1108272
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108272
** Changed in: bacula (Ubuntu)
Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2112455
Title:
[MIR] bacula
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bacula/+bug/2112455/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
