Freitag, 26. März 2010

Debian Bacula vulnerability / security leak

Another shorty: Bacula is a neat backup tool and Debian provides maintained packages for it. But the install script opens a big security hole. It generates all the necessary configuration files for the file and storage daemons, the director and the console client. It also generates the user names depending on the host name. And it seems to do this job in a secure way cause the passwords for the Bacula users are long enough to be very secure. This is indeed very important cause the file daemon runs as root. This is necessary so the file daemon is able to backup the whole system. The only downside is that those passwords are neither generated nor is the installer asking for them. This makes many users believe that those passwords are generated and not have to be changed. Combining those facts leads to the following situation: Every default Bacula installation in Debian is using the same password to secure the file daemon which is capable of reading all the files of the system as root. So every non privileged user is able to use this daemon to get access to files he has no access to. |-|4\/3 4 L07 0Ph p|-|U|\|...

Keine Kommentare:

  © Blogger template 'Morning Drink' by 2008

Back to TOP