[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bacula-devel] Security reports

Tullio Andreatta ML wrote:
> Dan Langille wrote:
>> This post deals with old and already fixed security issues.  They are 
>> fixed in Bacula.  They may not be fixed in the reported vendor code, 
>> in this case Gentoo.
>> I noticed these two security reports today:
>>   http://www.securityfocus.com/archive/1/494604
>>   http://www.net-security.org/advisory.php?id=9098
>> I have replied to the first one, directing them to the original 
>> problem report: http://bugs.bacula.org/view.php?id=990
>> NOTE: this issue was first documented in 2005 by the Bacula project. 
>> The documentation contains several examples as to how to avoid this 
>> situation.
> I modified the make_catalog_backup to provide db password on stdin.
> Then I call the script with
>  (echo password; exec sleep 1) | make_catalog_backup bacula bacula -
> to hide the password on the command line.

I'm not convinced this solves the problem.  The password is still 
available publicly, via ps auwx, for a short time.

> Patch attached.
> P.S.: Since password may be retrieved in the environment of
>    make_catalog_backup, I defined also a read-only dbuser
>    who do the catalog backup.

This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
Bacula-devel mailing list

This mailing list archive is a service of Copilotco.