Date: Tue, 07 Feb 2006 11:12:03 +0000 From: Pawel Zakiewicz <pawel.zakiewicz@thebunker.net> To: Lars.Koeller@Uni-Bielefeld.DE Cc: ports@FreeBSD.org Subject: FreeBSD Port: bacula-server-1.38.5_1 Message-ID: <43E88083.9080004@thebunker.net>
next in thread | raw e-mail | index | archive | help
Hi,
There is possible security issue in default Bacula
configuration, as one of their initialization scripts
creates MySQL database user with no password, enabled
to connect from everywhere, with all permissions to
bacula database.
There is some info in Bacula docs, that "If you need
more security, please assign a password to the root
user and to bacula." but, I my opinion, real problem
is allowing by default connections from everywhere...
Bacula can operate with localhost connection only,
as long as it is installed on same box with MySQL,
for other cases, specific hostname should be provided.
it maybe fixed in following way:
--- src/cats/grant_mysql_privileges.in Sat May 1 22:10:17 2004
+++ src/cats/grant_mysql_privileges.in.patched Tue Feb 7 11:04:57 2006
@@ -4,11 +4,14 @@
#
USER=bacula
bindir=@SQL_BINDIR@
+HOST=`hostname`
+
+echo ${HOST}
if $bindir/mysql $* -u root -f <<END-OF-DATA
use mysql
grant all privileges on bacula.* to ${USER}@localhost;
-grant all privileges on bacula.* to ${USER}@"%";
+grant all privileges on bacula.* to ${USER}@"${HOST}";
select * from user;
flush privileges;
END-OF-DATA
Cheers,
Pawel
--
Pawel Zakiewicz Tel: +44 (1304) 814800
The Bunker Fax: +44 (1304) 814899
Ash Radar Station http://www.thebunker.net
Marshborough Rd mailto:pawel.zakiewicz@thebunker.net
Sandwich
Kent
CT13 OPL
UNITED KINGDOM
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43E88083.9080004>