Add patches "solving" the issue of bacula exposing passwords et cetera through the command line parameters of various tools (CVE-2007-5626).diff -r1.26 -r1.27 pkgsrc/sysutils/bacula/Makefile
(tonnerre)
@@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
1 | # $NetBSD: Makefile,v 1.26 2008/07/10 13:54:56 dmcmahill Exp $ | 1 | # $NetBSD: Makefile,v 1.27 2008/07/13 15:26:36 tonnerre Exp $ | |
2 | 2 | |||
3 | PKGREVISION= 3 | 3 | PKGREVISION= 4 | |
4 | 4 | |||
5 | CONFLICTS+= bacula-client-[0-9]* bacula-clientonly-[0-9]* | 5 | CONFLICTS+= bacula-client-[0-9]* bacula-clientonly-[0-9]* | |
6 | 6 | |||
7 | PKG_DESTDIR_SUPPORT= destdir | 7 | PKG_DESTDIR_SUPPORT= destdir | |
8 | 8 | |||
9 | .include "options.mk" | 9 | .include "options.mk" | |
10 | 10 | |||
11 | PLIST_SRC= PLIST.common | 11 | PLIST_SRC= PLIST.common | |
12 | PLIST_SRC+= PLIST.server | 12 | PLIST_SRC+= PLIST.server | |
13 | 13 | |||
14 | PLIST_SUBST+= BACULA_DB=${BACULA_DB:Q} | 14 | PLIST_SUBST+= BACULA_DB=${BACULA_DB:Q} | |
15 | MESSAGE_SUBST+= PREFIX=${PREFIX:Q} | 15 | MESSAGE_SUBST+= PREFIX=${PREFIX:Q} | |
16 | MESSAGE_SUBST+= PKGNAME_NOREV=${PKGNAME_NOREV:Q} | 16 | MESSAGE_SUBST+= PKGNAME_NOREV=${PKGNAME_NOREV:Q} |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | $NetBSD: distinfo,v 1.28 2008/07/10 13:54:56 dmcmahill Exp $ | 1 | $NetBSD: distinfo,v 1.29 2008/07/13 15:26:36 tonnerre Exp $ | |
2 | 2 | |||
3 | SHA1 (bacula-2.2.4/2.2.4-lost-block.patch) = d3b9f927100d148e831248b381c5b2543d215502 | 3 | SHA1 (bacula-2.2.4/2.2.4-lost-block.patch) = d3b9f927100d148e831248b381c5b2543d215502 | |
4 | RMD160 (bacula-2.2.4/2.2.4-lost-block.patch) = ff24810e204324acc42dbaff0291a0fa02b56e21 | 4 | RMD160 (bacula-2.2.4/2.2.4-lost-block.patch) = ff24810e204324acc42dbaff0291a0fa02b56e21 | |
5 | Size (bacula-2.2.4/2.2.4-lost-block.patch) = 1057 bytes | 5 | Size (bacula-2.2.4/2.2.4-lost-block.patch) = 1057 bytes | |
6 | SHA1 (bacula-2.2.4/2.2.4-parse-command.patch) = 71538cee6fcfa07a20cabdf0e48887294e56723a | 6 | SHA1 (bacula-2.2.4/2.2.4-parse-command.patch) = 71538cee6fcfa07a20cabdf0e48887294e56723a | |
7 | RMD160 (bacula-2.2.4/2.2.4-parse-command.patch) = 6fc6d9a3c3e2defa0bdee725cf3a0e701cdab8f1 | 7 | RMD160 (bacula-2.2.4/2.2.4-parse-command.patch) = 6fc6d9a3c3e2defa0bdee725cf3a0e701cdab8f1 | |
8 | Size (bacula-2.2.4/2.2.4-parse-command.patch) = 849 bytes | 8 | Size (bacula-2.2.4/2.2.4-parse-command.patch) = 849 bytes | |
9 | SHA1 (bacula-2.2.4/2.2.4-poll-mount.patch) = 0b8839c3ecd47f58bcff7b0192e9816b2f9034a6 | 9 | SHA1 (bacula-2.2.4/2.2.4-poll-mount.patch) = 0b8839c3ecd47f58bcff7b0192e9816b2f9034a6 | |
10 | RMD160 (bacula-2.2.4/2.2.4-poll-mount.patch) = a1bf2692534facb16ccbe697c39a9a61f0a0df35 | 10 | RMD160 (bacula-2.2.4/2.2.4-poll-mount.patch) = a1bf2692534facb16ccbe697c39a9a61f0a0df35 | |
11 | Size (bacula-2.2.4/2.2.4-poll-mount.patch) = 823 bytes | 11 | Size (bacula-2.2.4/2.2.4-poll-mount.patch) = 823 bytes | |
12 | SHA1 (bacula-2.2.4/2.2.4-replace.patch) = ef188d27fc90527737be874c045f6abbe423321c | 12 | SHA1 (bacula-2.2.4/2.2.4-replace.patch) = ef188d27fc90527737be874c045f6abbe423321c | |
13 | RMD160 (bacula-2.2.4/2.2.4-replace.patch) = ffc8d4bd4c4f520d3c2365a13b83fe2921aeda9c | 13 | RMD160 (bacula-2.2.4/2.2.4-replace.patch) = ffc8d4bd4c4f520d3c2365a13b83fe2921aeda9c | |
14 | Size (bacula-2.2.4/2.2.4-replace.patch) = 631 bytes | 14 | Size (bacula-2.2.4/2.2.4-replace.patch) = 631 bytes | |
@@ -18,21 +18,23 @@ Size (bacula-2.2.4/2.2.4-restore.patch) | @@ -18,21 +18,23 @@ Size (bacula-2.2.4/2.2.4-restore.patch) | |||
18 | SHA1 (bacula-2.2.4/2.2.4-sd-auth-fail.patch) = c73ee8b3865f36752004805f6a44a4fcdaa740b8 | 18 | SHA1 (bacula-2.2.4/2.2.4-sd-auth-fail.patch) = c73ee8b3865f36752004805f6a44a4fcdaa740b8 | |
19 | RMD160 (bacula-2.2.4/2.2.4-sd-auth-fail.patch) = eb8db56209c5918677844d751f010281f4b50e41 | 19 | RMD160 (bacula-2.2.4/2.2.4-sd-auth-fail.patch) = eb8db56209c5918677844d751f010281f4b50e41 | |
20 | Size (bacula-2.2.4/2.2.4-sd-auth-fail.patch) = 5385 bytes | 20 | Size (bacula-2.2.4/2.2.4-sd-auth-fail.patch) = 5385 bytes | |
21 | SHA1 (bacula-2.2.4/2.2.4-sql.patch) = 2e8bf86ba64d5b4d16197fbfeba0ca504b9f3721 | 21 | SHA1 (bacula-2.2.4/2.2.4-sql.patch) = 2e8bf86ba64d5b4d16197fbfeba0ca504b9f3721 | |
22 | RMD160 (bacula-2.2.4/2.2.4-sql.patch) = ad49cfd911e3d82763d9101f129b7be24e20ec7d | 22 | RMD160 (bacula-2.2.4/2.2.4-sql.patch) = ad49cfd911e3d82763d9101f129b7be24e20ec7d | |
23 | Size (bacula-2.2.4/2.2.4-sql.patch) = 18382 bytes | 23 | Size (bacula-2.2.4/2.2.4-sql.patch) = 18382 bytes | |
24 | SHA1 (bacula-2.2.4/2.2.4-verify.patch) = 0fe11ff7e49420c13b1b6a79b64e9c511a9e4516 | 24 | SHA1 (bacula-2.2.4/2.2.4-verify.patch) = 0fe11ff7e49420c13b1b6a79b64e9c511a9e4516 | |
25 | RMD160 (bacula-2.2.4/2.2.4-verify.patch) = da82063dc69d4de08331e80531b2edd6c4ea40ea | 25 | RMD160 (bacula-2.2.4/2.2.4-verify.patch) = da82063dc69d4de08331e80531b2edd6c4ea40ea | |
26 | Size (bacula-2.2.4/2.2.4-verify.patch) = 2076 bytes | 26 | Size (bacula-2.2.4/2.2.4-verify.patch) = 2076 bytes | |
27 | SHA1 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 1fd8e75f231fb3a811696c05ea3c0c719c75289a | 27 | SHA1 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 1fd8e75f231fb3a811696c05ea3c0c719c75289a | |
28 | RMD160 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 5005d5566f55a8feb8a7efa610cd60a3d92383af | 28 | RMD160 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 5005d5566f55a8feb8a7efa610cd60a3d92383af | |
29 | Size (bacula-2.2.4/bacula-2.2.4.tar.gz) = 3020298 bytes | 29 | Size (bacula-2.2.4/bacula-2.2.4.tar.gz) = 3020298 bytes | |
30 | SHA1 (patch-aa) = c1e5ec7c3e78c125b9fbaba97190ead10adbc599 | 30 | SHA1 (patch-aa) = c1e5ec7c3e78c125b9fbaba97190ead10adbc599 | |
31 | SHA1 (patch-ab) = 24104c731532c00d2901ccd72f43b7184b006496 | |||
31 | SHA1 (patch-ac) = 585f8a00fe7c0e6e8e4c0b91a0bd32bd2fb81c81 | 32 | SHA1 (patch-ac) = 585f8a00fe7c0e6e8e4c0b91a0bd32bd2fb81c81 | |
32 | SHA1 (patch-ae) = 69db6d396bd1654b3065d693c5ea2c0afbb8bc61 | 33 | SHA1 (patch-ae) = 69db6d396bd1654b3065d693c5ea2c0afbb8bc61 | |
33 | SHA1 (patch-af) = 6ecbac39c156c81f30ba53b565f55ab5e876b3e0 | 34 | SHA1 (patch-af) = 6ecbac39c156c81f30ba53b565f55ab5e876b3e0 | |
34 | SHA1 (patch-ag) = a2734446ac79380692dd5a2647928919c9b2f2b8 | 35 | SHA1 (patch-ag) = a2734446ac79380692dd5a2647928919c9b2f2b8 | |
35 | SHA1 (patch-ah) = 83b156ac18b64d19ea0022103c50c431f3b86b87 | 36 | SHA1 (patch-ah) = 83b156ac18b64d19ea0022103c50c431f3b86b87 | |
36 | SHA1 (patch-ai) = 499a164fcf9e4fc466b691f91203b4293dcee7eb | 37 | SHA1 (patch-ai) = 499a164fcf9e4fc466b691f91203b4293dcee7eb | |
37 | SHA1 (patch-aj) = df5eba3c80d36ecc26c6acb1566a4411c308b2f0 | 38 | SHA1 (patch-aj) = df5eba3c80d36ecc26c6acb1566a4411c308b2f0 | |
39 | SHA1 (patch-ak) = d2b751888edf23a696f347c65ab0f11e6a3829f9 | |||
38 | SHA1 (patch-am) = 0b5b81543eb66ad191d94b59c986561e492a069d | 40 | SHA1 (patch-am) = 0b5b81543eb66ad191d94b59c986561e492a069d |
@@ -1,16 +1,17 @@ | @@ -1,16 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.15 2008/01/04 14:32:50 ghen Exp $ | 1 | # $NetBSD: Makefile,v 1.16 2008/07/13 15:26:36 tonnerre Exp $ | |
2 | 2 | |||
3 | DISTNAME= bacula-docs-2.0.2 | 3 | DISTNAME= bacula-docs-2.0.2 | |
4 | PKGREVISION= 1 | |||
4 | PKGNAME= ${DISTNAME:S/docs/doc/} | 5 | PKGNAME= ${DISTNAME:S/docs/doc/} | |
5 | CATEGORIES= sysutils | 6 | CATEGORIES= sysutils | |
6 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=bacula/} | 7 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=bacula/} | |
7 | 8 | |||
8 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
9 | HOMEPAGE= http://www.bacula.org/ | 10 | HOMEPAGE= http://www.bacula.org/ | |
10 | COMMENT= Documentation for Bacula - The Network Backup Solution | 11 | COMMENT= Documentation for Bacula - The Network Backup Solution | |
11 | 12 | |||
12 | PKG_DESTDIR_SUPPORT= user-destdir | 13 | PKG_DESTDIR_SUPPORT= user-destdir | |
13 | 14 | |||
14 | NO_CONFIGURE= yes | 15 | NO_CONFIGURE= yes | |
15 | NO_BUILD= yes | 16 | NO_BUILD= yes | |
16 | 17 |
@@ -1,5 +1,10 @@ | @@ -1,5 +1,10 @@ | |||
1 | $NetBSD: distinfo,v 1.13 2007/01/31 17:59:10 ghen Exp $ | 1 | $NetBSD: distinfo,v 1.14 2008/07/13 15:26:36 tonnerre Exp $ | |
2 | 2 | |||
3 | SHA1 (bacula-docs-2.0.2.tar.gz) = a07c74b0c98f7afe0896f3f4908004e3984819e6 | 3 | SHA1 (bacula-docs-2.0.2.tar.gz) = a07c74b0c98f7afe0896f3f4908004e3984819e6 | |
4 | RMD160 (bacula-docs-2.0.2.tar.gz) = 14c6582e9dabc4448fb681be192f46835ba0cb30 | 4 | RMD160 (bacula-docs-2.0.2.tar.gz) = 14c6582e9dabc4448fb681be192f46835ba0cb30 | |
5 | Size (bacula-docs-2.0.2.tar.gz) = 29776690 bytes | 5 | Size (bacula-docs-2.0.2.tar.gz) = 29776690 bytes | |
6 | SHA1 (patch-aa) = 04898ece4b4c13b50acf08dad16a76eea0fbfc7d | |||
7 | SHA1 (patch-ab) = e8320baae18f53f5091a0d0b662ec7e613cc1713 | |||
8 | SHA1 (patch-ac) = 829d3cff40f095f3d2e0959f8dbb368031d7c51b | |||
9 | SHA1 (patch-ad) = 16a4e438f0931d436d914440d98874dcf0b17467 | |||
10 | SHA1 (patch-ae) = ddcb2258ae20aec96904bf6b08672a413358ed13 |
$NetBSD: patch-aa,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
--- manual/tips.tex.orig 2007-01-15 10:37:15.000000000 +0100
+++ manual/tips.tex
@@ -598,6 +598,11 @@ setup procedure leaves the database open
assign the user {\bf bacula} a userid and add it to your Director's
configuration file in the appropriate Catalog resource.
+If you use the make_catalog_backup script provided by Bacula, remember that
+you should take care when supplying passwords on the command line. Read the
+\ilink{BackingUpBaculaSecurityConsiderations}{Backing Up Your Bacula
+Database - Security Considerations } for more information.
+
\section{Creating Holiday Schedules}
\label{holiday}
\index[general]{Schedules!Creating Holiday }
$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
--- manual/catmaintenance.tex.orig 2007-01-05 18:20:40.000000000 +0100
+++ manual/catmaintenance.tex
@@ -545,6 +545,8 @@ Job {
Storage = DLTDrive
Messages = Standard
Pool = Default
+ # WARNING!!! Passing the password via the command line is insecure.
+ # see comments in make_catalog_backup for details.
RunBeforeJob = "/home/kern/bacula/bin/make_catalog_backup"
RunAfterJob = "/home/kern/bacula/bin/delete_catalog_backup"
Write Bootstrap = "/home/kern/bacula/working/BackupCatalog.bsr"
@@ -573,6 +575,33 @@ you to quickly recover the database back
you do not have a bootstrap file, it is still possible to recover your
database backup, but it will be more work and take longer.
+
+\label{BackingUpBaculaSecurityConsiderations}
+\section{Security considerations}
+\index[general]{Backing Up Your Bacula Database - Security Considerations }
+\index[general]{Database!Backing Up Your Bacula Database - Security Considerations }
+
+We provide make_catalog_backup as an example of what can be used to backup
+your Bacula database. We expect you to take security precautions relevant
+to your situation. make_catalog_backup is designed to take a password on
+the command line. This is fine on machines with only trusted users. It is
+not acceptable on machines without trusted users. Most database systems
+provide a alternative method, which does not place the password on the
+command line.
+
+The make_catalog_backup contains some warnings about how to use it. Please
+read those tips.
+
+To help you get started, we know PostgreSQL has a password file,
+\elink{
+.pgpass}{http://www.postgresql.org/docs/8.2/static/libpq-pgpass.html}, and
+we know MySQL has
+\elink{ .my.cnf}{http://dev.mysql.com/doc/refman/4.1/en/password-security.html}.
+
+Only you can decide what is appropriate for your situation. We have provided
+you with a starting point. We hope it helps.
+
+
\label{BackingUPOtherDBs}
\section{Backing Up Third Party Databases}
\index[general]{Backing Up Third Party Databases }
$NetBSD: patch-ac,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
--- manual/pools.tex.orig 2007-01-05 18:20:41.000000000 +0100
+++ manual/pools.tex
@@ -235,6 +235,8 @@ Job {
Messages = Standard
Pool = Default
# This creates an ASCII copy of the catalog
+ # WARNING!!! Passing the password via the command line is insecure.
+ # see comments in make_catalog_backup for details.
RunBeforeJob = "/home/bacula/bin/make_catalog_backup bacula bacula"
# This deletes the copy of the catalog
RunAfterJob = "/home/bacula/bin/delete_catalog_backup"
$NetBSD: patch-ad,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
--- manual/postgresql.tex.orig 2007-01-05 18:20:41.000000000 +0100
+++ manual/postgresql.tex
@@ -200,6 +200,8 @@ password in place, these two lines shoul
\begin{verbatim}
dbname = bacula; user = bacula; password = "secret"
... and ...
+ # WARNING!!! Passing the password via the command line is insecure.
+ # see comments in make_catalog_backup for details.
RunBeforeJob = "/etc/make_catalog_backup bacula bacula secret"
\end{verbatim}
\normalsize
$NetBSD: patch-ae,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
--- manual/strategies.tex.orig 2007-01-15 10:37:15.000000000 +0100
+++ manual/strategies.tex
@@ -232,6 +232,8 @@ Job {
Messages = Standard
Pool = Default
# This creates an ASCII copy of the catalog
+ # WARNING!!! Passing the password via the command line is insecure.
+ # see comments in make_catalog_backup for details.
RunBeforeJob = "/usr/lib/bacula/make_catalog_backup -u bacula"
# This deletes the copy of the catalog, and ejects the tape
RunAfterJob = "/etc/bacula/end_of_backup.sh"
$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
--- src/cats/make_catalog_backup.in.orig 2007-04-24 17:36:15.000000000 +0200
+++ src/cats/make_catalog_backup.in
@@ -8,7 +8,11 @@
# $2 is the user name with which to access the database
# (default = bacula).
# $3 is the password with which to access the database or "" if no password
-# (default "")
+# (default ""). WARNING!!! Passing the password via the command line is
+# insecure and should not be used since any user can display the command
+# line arguments and the environment using ps. Please consult your
+# MySQL or PostgreSQL manual for secure methods of specifying the
+# password.
# $4 is the host on which the database is located
# (default "")
#
@@ -31,7 +35,7 @@ else
else
MYSQLHOST=""
fi
- ${BINDIR}/mysqldump -u $2$MYSQLPASSWORD$MYSQLHOST -f --opt $1 >$1.sql
+ ${BINDIR}/mysqldump -u ${2}${MYSQLPASSWORD}${MYSQLHOST} -f --opt $1 >$1.sql
else
if test xpostgresql = x@DB_TYPE@ ; then
if test $# -gt 2; then
$NetBSD: patch-ak,v 1.3 2008/07/13 15:26:36 tonnerre Exp $
--- src/dird/bacula-dir.conf.in.orig 2007-05-27 21:30:39.000000000 +0200
+++ src/dird/bacula-dir.conf.in
@@ -61,6 +61,8 @@ Job {
FileSet="Catalog"
Schedule = "WeeklyCycleAfterBackup"
# This creates an ASCII copy of the catalog
+ # WARNING!!! Passing the password via the command line is insecure.
+ # see comments in make_catalog_backup for details.
RunBeforeJob = "@scriptdir@/make_catalog_backup bacula bacula"
# This deletes the copy of the catalog
RunAfterJob = "@scriptdir@/delete_catalog_backup"