Bacula 1.29 User's Guide Chapter 17
Back
FAQ
Index
Index
Next
Thanks

Bacula Security Issues

  • The Clients (bacula-fd) must run as root to be able to access all the system files.
  • It is not necessary to run the Director as root.
  • It is not necessary to run the Storage daemon as root, but you must ensure that it can open the tape drives, which are often restricted to root access.
  • You should restrict access to the Bacula configuration files, so that the passwords are not world-readable. The Bacula daemons are password protected using CRAM-MD5 (i.e. the password is not sent across the network). This will ensure that not everyone can access the daemons.
  • If you are using the recommended ports 9101, 9102, and 9103, you will probably want to protect these ports from external access using a firewall and/or using tcp wrappers (etc/hosts.allow).
  • Currently all data that is sent across the network is unencrypted. As a consequence, unless you use ssh for port forwarding, it is not recommended to do a backup across an insecure network (e.g. the Internet). In a future version, we plan to have ssh encryption built-in.
  • You should ensure that the Bacula working directories are readable and writable only by the Bacula daemons.
  • If you are using MySQL it is not necessary for it to run with root permission.
  • Don't forget that Bacula is a network program, so anyone anywhere on the network with the console program and the Director's password can access Bacula and the backed up data.
  • You can restrict what IP addresses Bacula will bind to by using the appropriate DirAddress, FDAddress, or SDAddress records in the respective daemon configuration files.

TCP Wrappers

TCP Wrappers are implemented if you turn them on when configuring (./configure --with-libwrap). With this code enabled, you may control who may access your daemons. This control is done by modifying the file: /etc/hosts.allow. This code is implemented but untested.


Back
FAQ
Index
Index
Next
Thanks
Bacula 1.29 User's Guide
The Network Backup Solution
Copyright © 2000-2003
Kern Sibbald and John Walker