View Issue Details

IDProjectCategoryView StatusLast Update
0001108bareos-core[All Projects] directorpublic2019-09-03 14:47
ReporterjoergsAssigned To 
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionopen 
Product Version19.2.1 
Target VersionFixed in Version 
Summary0001108: PAM users can be misused to directly connect to the bareos-director without password
DescriptionWhen using PAM as authentication method, the user password in the bareos-director is not used for authentication. However, the bareos configuration requires a password. In the documentation https://docs.bareos.org/TasksAndConcepts/PAM.html#pam-user the password is set to an empty string ("").

However, these users/consoles can be used to login via bconsole *without* password.
This is of course a security problem.
Steps To ReproduceInstall bareos
Create following files:

/etc/bareos/bareos-dir.d/console/pam.conf:
Console {
  Name = pam
  Password = secret
  UsePamAuthentication = yes
}

/etc/bareos/bareos-dir.d/console/user1.conf
Console {
  Name = user1
  Password = ""
  Profile = admin
}

bconsole-user1.conf:
Director {
  Name = bareos-dir
  address = localhost
  Password = "UNUSED"
}

Console {
  Name = "user1"
  Password = ""
}

systemctl restart bareos-dir.service

bconsole -c bconsole-user1.conf
Connecting to Director localhost:9101
 Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 19.1.2 (01 February 2019)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are logged in as: user1

Enter a period to cancel a command.
*
Additional InformationTemporary workaround:
create PAM users with random passwords.
TagsNo tags attached.
bareos-master: impactyes
bareos-master: actionwill care
bareos-18.2: impactyes
bareos-18.2: actionnone
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

franku

franku

2019-09-03 09:01

developer   ~0003565

There will be a dedicated User resource that only accepts a name, description, acl and profile directives, but no password. This resource will only be used for login using pam authentication on the director.
franku

franku

2019-09-03 09:07

developer   ~0003566

The fix does not affect the issue that Console resources in general can be used without password.

Issue History

Date Modified Username Field Change
2019-08-09 17:11 joergs New Issue
2019-09-03 08:52 franku Status new => confirmed
2019-09-03 08:52 franku bareos-master: impact => yes
2019-09-03 08:52 franku bareos-master: action => will care
2019-09-03 08:52 franku bareos-18.2: impact => yes
2019-09-03 08:52 franku bareos-18.2: action => will care
2019-09-03 09:01 franku Note Added: 0003565
2019-09-03 09:07 franku Note Added: 0003566
2019-09-03 14:47 franku bareos-18.2: action will care => none