View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001108 | bareos-core | director | public | 2019-08-09 17:11 | 2019-12-18 15:24 |
| Reporter | joergs | Assigned To | franku | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 19.2.1 | ||||
| Fixed in Version | 19.2.1 | ||||
| Summary | 0001108: PAM users can be misused to directly connect to the bareos-director without password | ||||
| Description | When using PAM as authentication method, the user password in the bareos-director is not used for authentication. However, the bareos configuration requires a password. In the documentation https://docs.bareos.org/TasksAndConcepts/PAM.html#pam-user the password is set to an empty string (""). However, these users/consoles can be used to login via bconsole *without* password. This is of course a security problem. | ||||
| Steps To Reproduce | Install bareos Create following files: /etc/bareos/bareos-dir.d/console/pam.conf: Console { Name = pam Password = secret UsePamAuthentication = yes } /etc/bareos/bareos-dir.d/console/user1.conf Console { Name = user1 Password = "" Profile = admin } bconsole-user1.conf: Director { Name = bareos-dir address = localhost Password = "UNUSED" } Console { Name = "user1" Password = "" } systemctl restart bareos-dir.service bconsole -c bconsole-user1.conf Connecting to Director localhost:9101 Encryption: ECDHE-PSK-CHACHA20-POLY1305 1000 OK: bareos-dir Version: 19.1.2 (01 February 2019) bareos.org build binary bareos.org binaries are UNSUPPORTED by bareos.com. Get official binaries and vendor support on https://www.bareos.com You are logged in as: user1 Enter a period to cancel a command. * | ||||
| Additional Information | Temporary workaround: create PAM users with random passwords. | ||||
| Tags | No tags attached. | ||||
 |
There will be a dedicated User resource that only accepts a name, description, acl and profile directives, but no password. This resource will only be used for login using pam authentication on the director. |
|
|
The fix does not affect the issue that Console resources in general can be used without password. |
|
|
see Story #3158 |
|
bareos: master 76a11af5 2019-09-05 18:41 Committer: GitHub Ported: N/A Details Diff |
Merge pull request 0000263 from bareos/dev/franku/master/user-acl dir: add new resource User to config |
Affected Issues 0001108 |
|
| mod - core/cmake/BareosInstallConfigFiles.cmake | Diff File | ||
| mod - core/debian/bareos-director.install.in | Diff File | ||
| mod - core/platforms/packaging/bareos.spec | Diff File | ||
| mod - core/src/dird/authenticate_console.cc | Diff File | ||
| mod - core/src/dird/dird_conf.cc | Diff File | ||
| mod - core/src/dird/dird_conf.h | Diff File | ||
| mod - core/src/dird/ua.cc | Diff File | ||
| mod - core/src/dird/ua.h | Diff File | ||
| mod - core/src/dird/ua_acl.cc | Diff File | ||
| mod - core/src/dird/ua_audit.cc | Diff File | ||
| mod - core/src/dird/ua_cmds.cc | Diff File | ||
| mod - docs/manuals/source/Configuration/Director.rst | Diff File | ||
| mod - docs/manuals/source/TasksAndConcepts/PAM.rst | Diff File | ||
| mod - docs/manuals/source/include/autogenerated/bareos-dir-config-schema.json | Diff File | ||
| mod - systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/profile/operator.conf | Diff File | ||
| mod - systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user1.conf | Diff File | ||
| add - systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user2.conf | Diff File | ||
| add - systemtests/tests/bconsole-pam/etc/user3.cred | Diff File | ||
| mod - systemtests/tests/bconsole-pam/testrunner | Diff File | ||
|
bareos: master 2acb3395 2019-09-11 14:27 Committer: GitHub Ported: N/A Details Diff |
Merge pull request 0000267 from bareos/dev/franku/master/empty-password config: do not allow empty passwords for mandatory passwords |
Affected Issues 0001108 |
|
| mod - core/src/lib/res.cc | Diff File | ||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-08-09 17:11 | joergs | New Issue | |
| 2019-09-03 08:52 | franku | Status | new => confirmed |
| 2019-09-03 09:01 | franku | Note Added: 0003565 | |
| 2019-09-03 09:07 | franku | Note Added: 0003566 | |
| 2019-10-28 12:17 | franku | Note Added: 0003612 | |
| 2019-10-28 12:24 | franku | Assigned To | => franku |
| 2019-10-28 12:24 | franku | Status | confirmed => assigned |
| 2019-10-28 12:43 | franku | Changeset attached | => bareos master 2acb3395 |
| 2019-10-28 12:46 | franku | Changeset attached | => bareos master 76a11af5 |
| 2019-10-28 12:47 | franku | Status | assigned => resolved |
| 2019-10-28 12:47 | franku | Resolution | open => fixed |
| 2019-10-28 12:47 | franku | Fixed in Version | => 19.2.1 |
| 2019-12-18 15:24 | arogge | Status | resolved => closed |
