[prev in list] [next in list] [prev in thread] [next in thread]
List: bacula-bugs
Subject: [Bacula-bugs] [Bacula Bug Reports 0001954]: Security issue: ordinary users have an access to bacula-
From: Mantis Bug Tracker <nobody () bugs ! bacula ! org>
Date: 2014-07-13 8:23:01
Message-ID: 78e0f080a2bc75230858b56cfdd04236 () bugs ! bacula ! org
[Download RAW message or body]
The following issue has been REOPENED.
======================================================================
http://bugs.bacula.org/view.php?id=1954
======================================================================
Reported By: giner
Assigned To:
======================================================================
Project: Bacula Bug Reports
Issue ID: 1954
Category: Win32 File Daemon (client)
Reproducibility: always
Severity: major
Priority: normal
Status: feedback
======================================================================
Date Submitted: 2012-11-15 08:24 GMT
Last Modified: 2014-07-13 09:23 BST
======================================================================
Summary: Security issue: ordinary users have an access to
bacula-fd.conf
Description:
Default Bacula client installation for Windows allows to read the whole bacula
(%programfiles%\bacula) directory by ordinary users. If a user get a password
from bacula-fd.conf they can read/modify any file on a system remotely through
the bacula file daemon (it's pretty dangerous).
Only SYSTEM and Administrators should have an access to the bacula directory by
default.
======================================================================
----------------------------------------------------------------------
(0006944) kern (administrator) - 2014-07-05 17:10
http://bugs.bacula.org/view.php?id=1954#c6944
----------------------------------------------------------------------
Previously Bacula had very tight permissions on these files, and users
complained a lot because they were not able to edit them. As a consequence, we
eased the permissions, so the conf files could be edited and documented in the
Windows chapter of the manual how to improved the security.
If you can get a number of users to request that this be changed, I will do so,
but since users seem to for the most part prefer the current way of doing it, I
am inclined not to change anything.
----------------------------------------------------------------------
(0006974) giner (reporter) - 2014-07-13 09:23
http://bugs.bacula.org/view.php?id=1954#c6974
----------------------------------------------------------------------
You should be in Administrators group to install the client anyway so it would
be fair to restrict this folder only for Administrators.
Issue History
Date Modified Username Field Change
======================================================================
2012-11-15 08:24 giner New Issue
2014-07-05 17:10 kern Note Added: 0006944
2014-07-05 17:10 kern Status new => closed
2014-07-05 17:10 kern Resolution open => no change
required
2014-07-13 09:23 giner Note Added: 0006974
2014-07-13 09:23 giner Status closed => feedback
2014-07-13 09:23 giner Resolution no change required =>
reopened
======================================================================
------------------------------------------------------------------------------
_______________________________________________
Bacula-bugs mailing list
Bacula-bugs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic