Menu
▾
▴
[Bacula-bugs] [Bacula Bug Reports 0001954]: Security issue: ordinary users have an access to bacula-fd.conf
|
From: Mantis B. T. <no...@bu...> - 2014-07-13 08:23:09
|
The following issue has been REOPENED. ====================================================================== http://bugs.bacula.org/view.php?id=1954 ====================================================================== Reported By: giner Assigned To: ====================================================================== Project: Bacula Bug Reports Issue ID: 1954 Category: Win32 File Daemon (client) Reproducibility: always Severity: major Priority: normal Status: feedback ====================================================================== Date Submitted: 2012-11-15 08:24 GMT Last Modified: 2014-07-13 09:23 BST ====================================================================== Summary: Security issue: ordinary users have an access to bacula-fd.conf Description: Default Bacula client installation for Windows allows to read the whole bacula (%programfiles%\bacula) directory by ordinary users. If a user get a password from bacula-fd.conf they can read/modify any file on a system remotely through the bacula file daemon (it's pretty dangerous). Only SYSTEM and Administrators should have an access to the bacula directory by default. ====================================================================== ---------------------------------------------------------------------- (0006944) kern (administrator) - 2014-07-05 17:10 http://bugs.bacula.org/view.php?id=1954#c6944 ---------------------------------------------------------------------- Previously Bacula had very tight permissions on these files, and users complained a lot because they were not able to edit them. As a consequence, we eased the permissions, so the conf files could be edited and documented in the Windows chapter of the manual how to improved the security. If you can get a number of users to request that this be changed, I will do so, but since users seem to for the most part prefer the current way of doing it, I am inclined not to change anything. ---------------------------------------------------------------------- (0006974) giner (reporter) - 2014-07-13 09:23 http://bugs.bacula.org/view.php?id=1954#c6974 ---------------------------------------------------------------------- You should be in Administrators group to install the client anyway so it would be fair to restrict this folder only for Administrators. Issue History Date Modified Username Field Change ====================================================================== 2012-11-15 08:24 giner New Issue 2014-07-05 17:10 kern Note Added: 0006944 2014-07-05 17:10 kern Status new => closed 2014-07-05 17:10 kern Resolution open => no change required 2014-07-13 09:23 giner Note Added: 0006974 2014-07-13 09:23 giner Status closed => feedback 2014-07-13 09:23 giner Resolution no change required => reopened ====================================================================== |