[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bacula-devel] Ubuntu question


On Sunday 19 October 2008 10:48:57 Philipp Geschke wrote:
> Hi,
>
> Kern Sibbald schrieb:
> >>>> The problem is the FDAddress line. Take it out and things work.
> >>>
> >>> Yes, they are making it listen on localhost only rather than on any
> >>> device. Not very good.
> >
> > We have a numbe of issues with their packaging, and what Eric has done is
> > to submit bug reports as he encounters the issues.  I suggest you submit
> > a bug report.  The question of security can be resolved by proper
> > firewalling in my opinion.
>
> While I am pretty pissed at Ubuntu / Debian about bad Bacula packages, 

Packaging is not easy, and everyone has his/her own idea how to do it. We can 
tell them where we think they should change something, but it is up to the 
packager.

> THIS 
> should not be part of the reason. Since firewalling and backup are two
> completely different things, you cannot design your package with the
> assumption that the user will set up proper firewalling. Well, they won't.
> More than 70% of the linux admins these days don't know what they are
> doing.
> Hence, it is the right thing to preconfigure a daemon to listen to
> 127.0.0.1. A quick netstat will show you, and it takes 1 min to correct.
> Since every bacula-fd.conf under Debian(alike) has the same password, it's
> obligatory to edit the config anyway. If you don't, then at least the
> daemon won't be reachable from the outside world.
>
> I think this is way better than what postfix package does. Listen on all
> interfaces per default, while on 98% of the maschines you want only local
> mail to find it's way to a relay. Now it only takes a admin to do a silly
> "adduser test" on the box, and here we go, another open relay.
>
> So imho binding a daemon to 127.0.0.1 per default is a pretty smart thing
> ;-)
>
>

Well, you are welcome to your opinion.

netstat may be obvious to you as it is to me, but it is not for a large class 
of Linux users, who want to use Bacula.  

In addition, following this kind of logic, one should install DNS, SSH, 
Apache, and all the other servers by default to be bound to localhost. 

Bacula is IMO, quite secure as it is, and in 3.0.0 it will be even more 
secure.  By binding the daemons to localhost, one simply increases support 
requests and frustrates a larger number of the users, so Bacula produced 
packages will not be hobbled in this way.


Regards,

Kern

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-devel mailing list
Bacula-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/bacula-devel


This mailing list archive is a service of Copilotco.