[pkg-bacula-devel] [pkg-bacula-commits] [SCM] Bacula, a network backup, recovery and verification program branch, master, updated. debian/5.2.6+dfsg-2-3-ga406ac4

Alexander Golovko alexandro at ankalagon.ru
Tue Jul 3 19:12:06 UTC 2012 

On Tue, 03 Jul 2012 12:38:29 -0600, Luca Capello wrote:
> Hi there!
>
> On Tue, 03 Jul 2012 11:15:33 -0600, Alexander Golovko wrote:
>> The following commit has been merged in the master branch:
>> commit a406ac4efc3f09c5a0255e53cd84bad1263826ba
>> Author: Alexander Golovko <alexandro at ankalagon.ru>
>> Date:   Tue Jul 3 18:09:08 2012 +0400
>>
>>     fix bad bacula-director passwords in old packages
>>
>>     Squeeze packages shipped with bad non-unique passwords.
>>     We must force password changing for prevent unauthorized access 
>> to
>>     bacula-director service.
> [...]
>> +check_and_fix_unsafe_director_password()
>> +{
>> +  local PACKAGE REGEX
>> +
>> +  PACKAGE="$1"
>> +
>> +  #
>> +  # There is a list of hardcoded bacula-dir passwords we need to 
>> change.
>> +  # It is a passwords from versions 5.0.2-1, 5.0.2-1~bpo50+1, 
>> 5.0.2-2,
>> +  # 5.0.2-2.1, 5.0.2-2.2, 5.0.2-2.2+b1, 5.0.2-3, 5.0.3-1, 
>> 5.0.3-1+b1,
>> +  # 5.0.3+dfsg-0.1
>
> I still do not get this, sorry.  Maybe it is just because here at
> DebConf12 I do not get so much sleep lately, but I tested at least 
> twice
> and in no cases the passwords for bacula-dir were hardcoded:
>
>   <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602191#41>
>
> =====
> (base-squeeze)root at gismo:/# apt-get install bacula-server
> [...]
> (base-squeeze)root at gismo:/# dpkg-query -W bacula-\*
> bacula-common   5.0.2-2.2+b1
> bacula-common-mysql
> bacula-common-pgsql
> bacula-common-sqlite3   5.0.2-2.2+b1
> bacula-director
> bacula-director-common  5.0.2-2.2+b1
> bacula-director-sqlite3 5.0.2-2.2+b1
> bacula-doc
> bacula-fd
> bacula-sd       5.0.2-2.2+b1
> bacula-sd-sqlite3       5.0.2-2.2+b1
> bacula-sd-tools
> bacula-server   5.0.2-2.2
> (base-squeeze)root at gismo:/# grep Password
> /usr/share/bacula-common/common-functions
> genRandomPassword()
> readOrCreatePasswords()
>         DIRPASSWD=`genRandomPassword`
>         DIRMPASSWD=`genRandomPassword`
>         SDPASSWD=`genRandomPassword`
>         SDMPASSWD=`genRandomPassword`
>         FDPASSWD=`genRandomPassword`
>         FDMPASSWD=`genRandomPassword`
> (base-squeeze)root at gismo:/#
> =====
>
> Can you elaborate where the real problem is?

There problem was in typo "--with-dir-passowrd=XXX_DIRPASSWORD_XXX", 
fixed by commit c21ba3bd
Before this commit bacula-dir.conf contain password, generated on 
compile-time. And sed -e 's/XXX_DIRPASSWORD_XXX/.../' in postinst script 
do not do anything.

So, all packages before 5.2.6+dfsg-1 was shipped with one of default 
passwords. /etc/bacula/common-passwords contain generated password, but 
bacula-dor.conf contain default password. This is a problem, because 
this passwords look strong, but, saddenly, the same on all servers.

>
>> --- /dev/null
>> +++ b/debian/po/templates.pot
>
> With this you will get the debian-i18n people very angry, especially 
> at
> this point in the release cycle ;-)
>
> Thx, bye,
> Gismo / Luca

-- 
with best regards,
Alexander Golovko
email: alexandro at ankalagon.ru
xmpp: alexandro at ankalagon.ru

More information about the pkg-bacula-devel mailing list