[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bacula-devel] Security reports

Wolfram Schlich wrote:
> * Dan Langille <dan@xxxxxxxxxxxx> [2008-07-22 18:02]:
>> Tullio Andreatta ML wrote:
>>> Dan Langille wrote:
>>>> This post deals with old and already fixed security issues.  They are 
>>>> fixed in Bacula.  They may not be fixed in the reported vendor code, 
>>>> in this case Gentoo.
>>>> I noticed these two security reports today:
>>>>   http://www.securityfocus.com/archive/1/494604
>>>>   http://www.net-security.org/advisory.php?id=9098
>>>> I have replied to the first one, directing them to the original 
>>>> problem report: http://bugs.bacula.org/view.php?id=990
>>>> NOTE: this issue was first documented in 2005 by the Bacula project. 
>>>> The documentation contains several examples as to how to avoid this 
>>>> situation.
>>> I modified the make_catalog_backup to provide db password on stdin.
>>> Then I call the script with
>>>  (echo password; exec sleep 1) | make_catalog_backup bacula bacula -
>>> to hide the password on the command line.
>> I'm not convinced this solves the problem.  The password is still 
>> available publicly, via ps auwx, for a short time.
> https://bugs.gentoo.org/show_bug.cgi?id=196834#c3

The above uses my.conf, which is what we documented and advise:


This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
Bacula-devel mailing list

This mailing list archive is a service of Copilotco.