FreeBSD Port: bacula-server-1.38.5_1

[Pawel Zakiewicz]

Hi,

There is possible security issue in default Bacula
configuration, as one of their initialization scripts
creates MySQL database user with no password, enabled
to connect from everywhere, with all permissions to
bacula database.

There is some info in Bacula docs, that "If you need
more security, please assign a password to the root
user and to bacula." but, I my opinion, real problem
is allowing by default connections from everywhere...

Bacula can operate with localhost connection only,
as long as it is installed on same box with MySQL,
for other cases, specific hostname should be provided.

it maybe fixed in following way:

--- src/cats/grant_mysql_privileges.in  Sat May  1 22:10:17 2004
+++ src/cats/grant_mysql_privileges.in.patched  Tue Feb  7 11:04:57 2006
@@ -4,11 +4,14 @@
  #
  USER=bacula
  bindir=@SQL_BINDIR@
+HOST=`hostname`
+
+echo ${HOST}

  if $bindir/mysql $* -u root -f <<END-OF-DATA
  use mysql
  grant all privileges on bacula.* to ${USER}@localhost;
-grant all privileges on bacula.* to ${USER}@"%";
+grant all privileges on bacula.* to ${USER}@"${HOST}";
  select * from user;
  flush privileges;
  END-OF-DATA

Cheers,
Pawel


-- 
Pawel Zakiewicz               Tel: +44 (1304) 814800
The Bunker                    Fax: +44 (1304) 814899
Ash Radar Station             http://www.thebunker.net
Marshborough Rd               mailto:pawel.zakiewicz at thebunker.net
Sandwich
Kent
CT13 OPL
UNITED KINGDOM