View Issue Details

IDProjectCategoryView StatusLast Update
0001108bareos-core[All Projects] directorpublic2019-10-28 12:47
ReporterjoergsAssigned Tofranku 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version19.2.1 
Target VersionFixed in Version19.2.1 
Summary0001108: PAM users can be misused to directly connect to the bareos-director without password
DescriptionWhen using PAM as authentication method, the user password in the bareos-director is not used for authentication. However, the bareos configuration requires a password. In the documentation https://docs.bareos.org/TasksAndConcepts/PAM.html#pam-user the password is set to an empty string ("").

However, these users/consoles can be used to login via bconsole *without* password.
This is of course a security problem.
Steps To ReproduceInstall bareos
Create following files:

/etc/bareos/bareos-dir.d/console/pam.conf:
Console {
  Name = pam
  Password = secret
  UsePamAuthentication = yes
}

/etc/bareos/bareos-dir.d/console/user1.conf
Console {
  Name = user1
  Password = ""
  Profile = admin
}

bconsole-user1.conf:
Director {
  Name = bareos-dir
  address = localhost
  Password = "UNUSED"
}

Console {
  Name = "user1"
  Password = ""
}

systemctl restart bareos-dir.service

bconsole -c bconsole-user1.conf
Connecting to Director localhost:9101
 Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 19.1.2 (01 February 2019)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are logged in as: user1

Enter a period to cancel a command.
*
Additional InformationTemporary workaround:
create PAM users with random passwords.
TagsNo tags attached.
bareos-master: impactyes
bareos-master: actionfixed
bareos-18.2: impactyes
bareos-18.2: actionnone
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

franku

franku

2019-09-03 09:01

developer   ~0003565

There will be a dedicated User resource that only accepts a name, description, acl and profile directives, but no password. This resource will only be used for login using pam authentication on the director.
franku

franku

2019-09-03 09:07

developer   ~0003566

The fix does not affect the issue that Console resources in general can be used without password.
franku

franku

2019-10-28 12:17

developer   ~0003612

see Story #3158

Related Changesets

bareos: master 76a11af5

2019-09-05 16:41:25

franku


Committer: GitHub

Ported: N/A

Details Diff
Merge pull request 0000263 from bareos/dev/franku/master/user-acl

dir: add new resource User to config
Affected Issues
0001108
mod - core/cmake/BareosInstallConfigFiles.cmake Diff File
mod - core/debian/bareos-director.install.in Diff File
mod - core/platforms/packaging/bareos.spec Diff File
mod - core/src/dird/authenticate_console.cc Diff File
mod - core/src/dird/dird_conf.cc Diff File
mod - core/src/dird/dird_conf.h Diff File
mod - core/src/dird/ua.cc Diff File
mod - core/src/dird/ua.h Diff File
mod - core/src/dird/ua_acl.cc Diff File
mod - core/src/dird/ua_audit.cc Diff File
mod - core/src/dird/ua_cmds.cc Diff File
mod - docs/manuals/source/Configuration/Director.rst Diff File
mod - docs/manuals/source/TasksAndConcepts/PAM.rst Diff File
mod - docs/manuals/source/include/autogenerated/bareos-dir-config-schema.json Diff File
mod - systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/profile/operator.conf Diff File
mod - systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user1.conf Diff File
add - systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user2.conf Diff File
add - systemtests/tests/bconsole-pam/etc/user3.cred Diff File
mod - systemtests/tests/bconsole-pam/testrunner Diff File

bareos: master 2acb3395

2019-09-11 12:27:56

arogge


Committer: GitHub

Ported: N/A

Details Diff
Merge pull request 0000267 from bareos/dev/franku/master/empty-password

config: do not allow empty passwords for mandatory passwords
Affected Issues
0001108
mod - core/src/lib/res.cc Diff File

Issue History

Date Modified Username Field Change
2019-08-09 17:11 joergs New Issue
2019-09-03 08:52 franku Status new => confirmed
2019-09-03 08:52 franku bareos-master: impact => yes
2019-09-03 08:52 franku bareos-master: action => will care
2019-09-03 08:52 franku bareos-18.2: impact => yes
2019-09-03 08:52 franku bareos-18.2: action => will care
2019-09-03 09:01 franku Note Added: 0003565
2019-09-03 09:07 franku Note Added: 0003566
2019-09-03 14:47 franku bareos-18.2: action will care => none
2019-10-28 12:17 franku bareos-master: action will care => fixed
2019-10-28 12:17 franku bareos-18.2: action none => fixed
2019-10-28 12:17 franku Note Added: 0003612
2019-10-28 12:24 franku Assigned To => franku
2019-10-28 12:24 franku Status confirmed => assigned
2019-10-28 12:28 franku bareos-18.2: action fixed => none
2019-10-28 12:43 franku Changeset attached => bareos master 2acb3395
2019-10-28 12:46 franku Changeset attached => bareos master 76a11af5
2019-10-28 12:47 franku Status assigned => resolved
2019-10-28 12:47 franku Resolution open => fixed
2019-10-28 12:47 franku Fixed in Version => 19.2.1