From: Scott B. <sc...@ba...> - 2008-08-01 21:34:59
|
On Fri, 2008-08-01 at 10:33 +0100, Martin Simmons wrote: > >>>>> On Thu, 31 Jul 2008 23:05:52 +0200, Kern Sibbald said: > > > > On Thursday 31 July 2008 22:27:11 Scott Barninger wrote: > > > Hello Kern, > > > > > > It is true this is a packaging issue and it is true that bconsole in the > > > project rpm packages can not be executed by a script since it's > > > permissions are set root,root. I'm not sure I call that a bug. Should a > > > script be able to execute the console? > > > > I don't think it is a bug either, but it is something I never really thought > > about. If you do a make install running as root, then Bacula can execute a > > script which can call bconsole, and it can be very useful for certain > > operations. > > > > I am not 100% sure about the security implications, which is one of the > > reasons I asked you to "take a look at it" rather than "please fix it". My > > basic instinct is to not change anything, because I am nervous about having a > > non-restricted console executable by anyone other than root unless the > > SysAdmin explicitly permits it. That way, we ship something that we know > > doesn't have an unexpected security problem. > > OTOH, the file is installed world readable and is build from open source, so > anyone can make their own executable copy of it without much effort. The > important file for security is the bconsole.conf. Agreed. However what we, or more correctly I, am discussing is not what you or anyone "might" do with the source, but what we(I) are shipping as project binary packages. Thanks. > > __Martin > |