From owner-freebsd-ports@FreeBSD.ORG Tue Feb 7 11:11:55 2006 Return-Path: X-Original-To: ports@FreeBSD.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E52A116A420 for ; Tue, 7 Feb 2006 11:11:55 +0000 (GMT) (envelope-from pawel.zakiewicz@thebunker.net) Received: from male.aldigital.co.uk (male.thebunker.net [213.129.64.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DA3A43D45 for ; Tue, 7 Feb 2006 11:11:55 +0000 (GMT) (envelope-from pawel.zakiewicz@thebunker.net) Received: from [172.16.3.53] (gateway.ash.thebunker.net [213.129.64.4]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by male.aldigital.co.uk (Postfix) with ESMTP id C2FD097789; Tue, 7 Feb 2006 11:11:53 +0000 (GMT) Message-ID: <43E88083.9080004@thebunker.net> Date: Tue, 07 Feb 2006 11:12:03 +0000 From: Pawel Zakiewicz User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051011) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lars.Koeller@Uni-Bielefeld.DE Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ports@FreeBSD.org Subject: FreeBSD Port: bacula-server-1.38.5_1 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2006 11:11:56 -0000 Hi, There is possible security issue in default Bacula configuration, as one of their initialization scripts creates MySQL database user with no password, enabled to connect from everywhere, with all permissions to bacula database. There is some info in Bacula docs, that "If you need more security, please assign a password to the root user and to bacula." but, I my opinion, real problem is allowing by default connections from everywhere... Bacula can operate with localhost connection only, as long as it is installed on same box with MySQL, for other cases, specific hostname should be provided. it maybe fixed in following way: --- src/cats/grant_mysql_privileges.in Sat May 1 22:10:17 2004 +++ src/cats/grant_mysql_privileges.in.patched Tue Feb 7 11:04:57 2006 @@ -4,11 +4,14 @@ # USER=bacula bindir=@SQL_BINDIR@ +HOST=`hostname` + +echo ${HOST} if $bindir/mysql $* -u root -f <