[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bacula-devel] Security reports


* Dan Langille <dan@xxxxxxxxxxxx> [2008-07-22 18:02]:
> Tullio Andreatta ML wrote:
> > Dan Langille wrote:
> >> This post deals with old and already fixed security issues.  They are 
> >> fixed in Bacula.  They may not be fixed in the reported vendor code, 
> >> in this case Gentoo.
> >>
> >> I noticed these two security reports today:
> >>
> >>   http://www.securityfocus.com/archive/1/494604
> >>   http://www.net-security.org/advisory.php?id=9098
> >>
> >> I have replied to the first one, directing them to the original 
> >> problem report: http://bugs.bacula.org/view.php?id=990
> >>
> >> NOTE: this issue was first documented in 2005 by the Bacula project. 
> >> The documentation contains several examples as to how to avoid this 
> >> situation.
> > 
> > I modified the make_catalog_backup to provide db password on stdin.
> > Then I call the script with
> >  (echo password; exec sleep 1) | make_catalog_backup bacula bacula -
> > to hide the password on the command line.
> 
> I'm not convinced this solves the problem.  The password is still 
> available publicly, via ps auwx, for a short time.

https://bugs.gentoo.org/show_bug.cgi?id=196834#c3
-- 
Regards,
Wolfram Schlich <wschlich@xxxxxxxxxx>
Gentoo Linux * http://dev.gentoo.org/~wschlich/

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-devel mailing list
Bacula-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/bacula-devel


This mailing list archive is a service of Copilotco.