From owner-freebsd-ports@FreeBSD.ORG  Tue Feb  7 11:11:55 2006
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: ports@FreeBSD.org
Delivered-To: freebsd-ports@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E52A116A420
	for <ports@FreeBSD.org>; Tue,  7 Feb 2006 11:11:55 +0000 (GMT)
	(envelope-from pawel.zakiewicz@thebunker.net)
Received: from male.aldigital.co.uk (male.thebunker.net [213.129.64.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8DA3A43D45
	for <ports@FreeBSD.org>; Tue,  7 Feb 2006 11:11:55 +0000 (GMT)
	(envelope-from pawel.zakiewicz@thebunker.net)
Received: from [172.16.3.53] (gateway.ash.thebunker.net [213.129.64.4])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by male.aldigital.co.uk (Postfix) with ESMTP
	id C2FD097789; Tue,  7 Feb 2006 11:11:53 +0000 (GMT)
Message-ID: <43E88083.9080004@thebunker.net>
Date: Tue, 07 Feb 2006 11:12:03 +0000
From: Pawel Zakiewicz <pawel.zakiewicz@thebunker.net>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051011)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Lars.Koeller@Uni-Bielefeld.DE
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: ports@FreeBSD.org
Subject: FreeBSD Port: bacula-server-1.38.5_1
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2006 11:11:56 -0000

Hi,

There is possible security issue in default Bacula
configuration, as one of their initialization scripts
creates MySQL database user with no password, enabled
to connect from everywhere, with all permissions to
bacula database.

There is some info in Bacula docs, that "If you need
more security, please assign a password to the root
user and to bacula." but, I my opinion, real problem
is allowing by default connections from everywhere...

Bacula can operate with localhost connection only,
as long as it is installed on same box with MySQL,
for other cases, specific hostname should be provided.

it maybe fixed in following way:

--- src/cats/grant_mysql_privileges.in  Sat May  1 22:10:17 2004
+++ src/cats/grant_mysql_privileges.in.patched  Tue Feb  7 11:04:57 2006
@@ -4,11 +4,14 @@
  #
  USER=bacula
  bindir=@SQL_BINDIR@
+HOST=`hostname`
+
+echo ${HOST}

  if $bindir/mysql $* -u root -f <<END-OF-DATA
  use mysql
  grant all privileges on bacula.* to ${USER}@localhost;
-grant all privileges on bacula.* to ${USER}@"%";
+grant all privileges on bacula.* to ${USER}@"${HOST}";
  select * from user;
  flush privileges;
  END-OF-DATA

Cheers,
Pawel


-- 
Pawel Zakiewicz               Tel: +44 (1304) 814800
The Bunker                    Fax: +44 (1304) 814899
Ash Radar Station             http://www.thebunker.net
Marshborough Rd               mailto:pawel.zakiewicz@thebunker.net
Sandwich
Kent
CT13 OPL
UNITED KINGDOM