View Issue Details

IDProjectCategoryView StatusLast Update
0001108bareos-core[All Projects] directorpublic2019-09-03 14:47
ReporterjoergsAssigned To 
Status confirmedResolutionopen 
Product Version19.2.1 
Target VersionFixed in Version 
Summary0001108: PAM users can be misused to directly connect to the bareos-director without password
DescriptionWhen using PAM as authentication method, the user password in the bareos-director is not used for authentication. However, the bareos configuration requires a password. In the documentation the password is set to an empty string ("").

However, these users/consoles can be used to login via bconsole *without* password.
This is of course a security problem.
Steps To ReproduceInstall bareos
Create following files:

Console {
  Name = pam
  Password = secret
  UsePamAuthentication = yes

Console {
  Name = user1
  Password = ""
  Profile = admin

Director {
  Name = bareos-dir
  address = localhost
  Password = "UNUSED"

Console {
  Name = "user1"
  Password = ""

systemctl restart bareos-dir.service

bconsole -c bconsole-user1.conf
Connecting to Director localhost:9101
 Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 19.1.2 (01 February 2019) build binary binaries are UNSUPPORTED by
Get official binaries and vendor support on
You are logged in as: user1

Enter a period to cancel a command.
Additional InformationTemporary workaround:
create PAM users with random passwords.
TagsNo tags attached.
bareos-master: impactyes
bareos-master: actionwill care
bareos-18.2: impactyes
bareos-18.2: actionnone
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action




2019-09-03 09:01

developer   ~0003565

There will be a dedicated User resource that only accepts a name, description, acl and profile directives, but no password. This resource will only be used for login using pam authentication on the director.


2019-09-03 09:07

developer   ~0003566

The fix does not affect the issue that Console resources in general can be used without password.

Issue History

Date Modified Username Field Change
2019-08-09 17:11 joergs New Issue
2019-09-03 08:52 franku Status new => confirmed
2019-09-03 08:52 franku bareos-master: impact => yes
2019-09-03 08:52 franku bareos-master: action => will care
2019-09-03 08:52 franku bareos-18.2: impact => yes
2019-09-03 08:52 franku bareos-18.2: action => will care
2019-09-03 09:01 franku Note Added: 0003565
2019-09-03 09:07 franku Note Added: 0003566
2019-09-03 14:47 franku bareos-18.2: action will care => none