packages: bacula/bacula-desktop.patch, bacula/bacula.spec - SECURITY: limit...

Thu Mar 18 10:14:35 CET 2010

Author: jajcus                       Date: Thu Mar 18 09:14:35 2010 GMT
Module: packages                      Tag: HEAD
---- Log message:
- SECURITY: limit access to bat.conf to user root and bacula group only. This file
contains a password which gives full access to the backup server (this could be
used to destroy all backups and even all data on the client machines). Tray
monitor is not affected, as it used different credentials with lower
privileges.
- move bat executable to %{_bindir}, as it can be used by users too

---- Files affected:
packages/bacula:
   bacula-desktop.patch (1.1 -> 1.2) , bacula.spec (1.131 -> 1.132) 

---- Diffs:

================================================================
Index: packages/bacula/bacula-desktop.patch
diff -u packages/bacula/bacula-desktop.patch:1.1 packages/bacula/bacula-desktop.patch:1.2

--- packages/bacula/bacula-desktop.patch:1.1	Wed Apr 15 18:12:40 2009
+++ packages/bacula/bacula-desktop.patch	Thu Mar 18 10:14:29 2010
@@ -6,7 +6,8 @@
  Comment=Bacula Director Console
 -Icon=/usr/share/pixmaps/bat_icon.png
 +Icon=bacula
- Exec=@sbindir@/bat -c @sysconfdir@/bat.conf
+-Exec=@sbindir@/bat -c @sysconfdir@/bat.conf
++Exec=@bindir@/bat -c @sysconfdir@/bat.conf
  Terminal=false
  Type=Application
  Encoding=UTF-8

================================================================
Index: packages/bacula/bacula.spec
diff -u packages/bacula/bacula.spec:1.131 packages/bacula/bacula.spec:1.132
--- packages/bacula/bacula.spec:1.131	Wed Mar 17 17:09:24 2010
+++ packages/bacula/bacula.spec	Thu Mar 18 10:14:29 2010
@@ -575,7 +575,7 @@
 %endif
 
 %if %{with bat}
-install src/qt-console/.libs/bat $RPM_BUILD_ROOT%{_sbindir}
+install src/qt-console/.libs/bat $RPM_BUILD_ROOT%{_bindir}
 install scripts/bat.desktop $RPM_BUILD_ROOT%{_desktopdir}
 %endif
 
@@ -973,8 +973,10 @@
 %doc LICENSE
 %{_pixmapsdir}/%{name}.png
 %{_desktopdir}/bat.desktop
-%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/bat.conf
-%attr(755,root,root) %{_sbindir}/bat
+# Do not make this file world-readable or any user will get full access to the
+# backup system 
+%attr(640,root,bacula) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/bat.conf
+%attr(755,root,root) %{_bindir}/bat
 %{_mandir}/man1/bat.1*
 %{_docdir}/%{name}
 %endif
@@ -1013,6 +1015,14 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.132  2010/03/18 09:14:29  jajcus
+- SECURITY: limit access to bat.conf to user root and bacula group only. This file
+contains a password which gives full access to the backup server (this could be
+used to destroy all backups and even all data on the client machines). Tray
+monitor is not affected, as it used different credentials with lower
+privileges.
+- move bat executable to %{_bindir}, as it can be used by users too
+
 Revision 1.131  2010/03/17 16:09:24  glen
 - packaging %ghost as symlink only brings trouble (extra Filelinktos deps, when payload is not even in rpm)
 - btw, how about packaging the ghosts in main package?
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/bacula/bacula-desktop.patch?r1=1.1&r2=1.2&f=u
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/bacula/bacula.spec?r1=1.131&r2=1.132&f=u

