[prev in list] [next in list] [prev in thread] [next in thread]
List: bacula-users
Subject: Re: [Bacula-users] Restricting who can restore data from which system to where
From: lst_hoe02 () kwsoft ! de
Date: 2012-10-31 22:22:53
Message-ID: 20121031232253.Horde.lHdKc06jTahQkaS9QSn0kkA () webmail ! kwsoft ! de
[Download RAW message or body]
Zitat von r.schuitemaker@kpn.com:
>>> To solve things, I've tried setting ACL's in the Console
>>> statement like this:
>>>
>>> Console {
>>> Name = Almond
>>> Password = ""
>>> ClientACL = Almond
>>> StorageACL = Almond_Storage
>>> PoolACL = Almond_Pool
>>> }
>>>
>>> But this doesn't work. I thought this would limit the client as
>>> defined in Client { Name= Almond.....} to access only the listed
>>> storage and pools (which would be great, as almond has it's own
>>> reserved pool), but it doesn't do that. I think I may be interpreting
>>> the manual the wrong way. I've googled and found several other people
>>> asking the same question, but no working answers.
>
>> The Console statement in bacula-dir.conf isn't designed to match a
>> named Client statement. You need to put a special bconsole.conf on
>> the client, so that it uses the Console directive in the
>> bacula-dir.conf.
>
>> See the restricted-user examples here:
>
>> http://www.bacula.org/5.2.x-manuals/en/main/main/Console_Configuration.html
>
>> __Martin
>
> Martin,
>
> Thanks for your answer, but that doesn't fully solve my issue. The
> root user on client A can modify his own bconsole.conf, so any
> security that depends on bconsole.conf isn't security. I only want
> to trust those clients like a bank trusts it's safety deposit box
> holders: I trust client A with the files from Client A and with
> Client A's password, but I don't trust Client A with Client B's
> files, just like the bank will trust Client A with the key to his
> box, but not with the key to Mr. B's box. I'd like the security to
> be thus that only client A can access client A's files, and nothing
> more. I don't see how I can accomplish that by using only a
> bconsole.conf on the client side. Is there any other way that you
> know of?
You might have a look at data encryption. With one certificate/key
pair per machine only the matching key owner will be able to restore
files.
Regards
Andreas
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic