password in bacula-fd.conf is not auto-generated

Bug #222558 reported by Henning Holtschneider on 2008-04-26
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bacula (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: bacula-fd

While the hostname is being substituted in bacula-fd.conf, the default director passwords are the same on all installations. The sample passwords "look" random and there is no notice in the file that the passwords should be changed to result in a secure installation. In fact, the comments in the file even state:

# There is not much to change here except perhaps the
# File daemon Name to

The postinst script should either generate a random password or there should be a comment in the file indicating that the default password is insecure.

Related branches

CVE References

Chuck Short (zulcss) wrote :

Which version is this?

Thanks
chuck

Changed in bacula:
status: New → Incomplete
Mackenzie Morgan (maco.m) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in bacula:
status: Incomplete → Invalid
Kern Sibbald (kern) wrote :

I was not aware of this bug (sorry, I should look at them all), but I think I can shed some light on it and even provide the "code" necessary to fix it.

Basically the user is saying that each Bacula daemon generated needs a shared secrete random password used for authentication, and these passwords *must* be generated at install time to be unique. I have not looked at your packages but I believe that you inherited them from Debian where I have reported this problem. The passwords that you release in the bacula-xx.conf files are generated by Bacula at build time, and thus are installed on all systems, and hence are not secure, and this applies to all versions of Bacula that you have packaged. If you have explicitly added code in the install process that generates random passwords, then this bug should be closed, otherwise, it should be left open and marked as a security problem.

Note, this is a packaging problem. Bacula generates random passwords during the ./configure process, so everything is consistent, but once it is packaged, the packager needs to create similar code to the Bacula ./configure so that all installations will have different passwords.

If you want, I can provide you with sample code suitable to put in your installation packages.

I'm sorry I did not respond to this bug earlier. I missed Chuck's reply in April. Kern is absolutely right, this is a packaging problem inherited from Debian.

I didn't want to make the problem bigger than it acutally is. People who are using Bacula should be aware of the fact that the software uses a shared secret to communicate between the different components of the software package. But Joe Average who runs Bacula with the default settings coming from the .deb package will find himself left with a shared secret common to all Ubuntu Bacula installations and there are no indications whatsoever in the READMEs or in the configuration files which indicate this weakness.

Depending on your point of view, you might consider this a serious security issue.

Changed in bacula:
status: Invalid → New
Ante Karamatić (ivoks) wrote :

I'll mark this bug as 'medium' at the moment. But this should be resolved as soon as possible.

Kern, of course, any code would be welcome. It's clear that we should generate password on postinstall of package, not during compile-time.

Changed in bacula:
importance: Undecided → Medium
status: New → Confirmed

On Wednesday 24 September 2008 11:13:20 Ante Karamatić wrote:
> I'll mark this bug as 'medium' at the moment. But this should be
> resolved as soon as possible.
>
> Kern, of course, any code would be welcome. It's clear that we should
> generate password on postinstall of package, not during compile-time.
>
> ** Changed in: bacula (Ubuntu)
> Importance: Undecided => Medium
> Status: New => Confirmed

I am not (yet) a Debian packaging expert, so I asked the Bacula .deb guy
(Eric), and this is his response. Sorry for emailer wrapping, but you can
probably figure it out.

On Wednesday 24 September 2008 16:18:58 you wrote:
> Hello Eric,
>
> Do you have some .deb magic I could send off to the Ubuntu Bacula
> maintainers so that they can generate random passwords when installing
> Bacula?

I use the bacula-common configuration script (debian/bacula-common.config) to
compute and store random password for all bacula packages. (my template file
is ok too)

if ! db_get bacula/director_passwd; then
    db_set bacula/director_passwd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 |
head -c33)
    db_set bacula/director_mpasswd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 |
head -c33)
    db_set bacula/fd_passwd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 |
head -c33)
    db_set bacula/fd_mpasswd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 |
head -c33)
    db_set bacula/sd_passwd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 |
head -c33)
    db_set bacula/sd_mpasswd $(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 |
head -c33)
fi

After that, i use special strings to replace password in configuration file
(like for RPM)

./configure ...
          --with-dir-password="XXX_REPLACE_WITH_DIRECTOR_PASSWORD_XXX" \
          --with-fd-password="XXX_REPLACE_WITH_CLIENT_PASSWORD_XXX" \
          --with-sd-password="XXX_REPLACE_WITH_STORAGE_PASSWORD_XXX" \
          --with-mon-dir-password="XXX_REPLACE_WITH_DIRECTOR_MONITOR_PASSWORD_XXX"
\
          --with-mon-fd-password="XXX_REPLACE_WITH_CLIENT_MONITOR_PASSWORD_XXX"
\
          --with-mon-sd-password="XXX_REPLACE_WITH_STORAGE_MONITOR_PASSWORD_XXX"
\

At the end, i just have to replace XXX_...XXX strings by what we have computed
in each
package.postinst script.

        db_get bacula/director_mpasswd
        db_dir_mpass="$RET"
        db_get bacula/fd_mpasswd
        db_fd_mpass="$RET"
        db_get bacula/sd_mpasswd
        db_sd_mpass="$RET"
        db_stop

        sed \
            -e "s%XXX_REPLACE_WITH_DIRECTOR_MONITOR_PASSWORD_XXX%$db_dir_mpass%"
\
            -e "s%XXX_REPLACE_WITH_STORAGE_MONITOR_PASSWORD_XXX%$db_sd_mpass%"
\
            -e "s%XXX_REPLACE_WITH_CLIENT_MONITOR_PASSWORD_XXX%$db_fd_mpass%"
\
          < $SRCDIR/$CONFIG > $TARGET

At the end, if you configure FD/SD/DIR/Console on the same box, all your
passwords
will be ok.

They have also to remove the XXAddress = 127.0.0.1 from all configuration
file.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bacula - 2.4.3-1ubuntu1

---------------
bacula (2.4.3-1ubuntu1) jaunty; urgency=low

  * Store sd|fd|director passwords in debconf (LP: #222558)
    - added debian/bacula-common.templates
    - modified debian/bacula-common.postinst:
      + generate random passwords and store them in debconf
    - modified debian/bacula-[sd|fd|director-mysql|director-pgsql].postinst
      + read and set passwords from debconf
  * Daemons listen on all interfaces (LP: #286643)
  * Start daemons on installation
  * Build with generic XXX_*_XXX username, password and database name
    and replace it with dbconfig's settings in postinstall scripts
  * Merge from debian unstable, remaining changes:
    - Drop mt-st to suggests. So that bacula goes back to main. (LP: #286528)
    - debian/rules: Disable fortify source since it was causing
      bacula-director to segfault.
    - debian/control:
      + Added libdbi-perl and libdb-mysql-perl to depends for
        bacula-director-mysql
        due to new postinst configuration.
      + Cleaned up bacula-director-pgsql dependenices and recommends.
      + Made mysql the default director to install bacula-director-{mysql|pgsql}
        added database handling to postinstall scripts and templates, modifiied
        postinstall script's sed expressions.
      + Removed libwgtk-2.6-dev as a build dependency; as a result
        bacula-console-wx isn't built anymore.
      + Install gawk if not installed. (LP: #207527)
    - debian/make_catalog_backup_awk.[mysql|pgsql|sqlite3|sqlite]:
      + New scripts for catalog backup. (CVE-2007-5626)
    - debian/bacula-console-wx:
      + Dropped since we are not building them anymore.
    - debian/bacula-director-common.bacula-director.init,
      debian/bacula-fd.init, debian/bacula-sd.init
      + Made more LSB specific.

 -- Ante Karamatic <email address hidden> Wed, 26 Nov 2008 13:53:30 +0100

Changed in bacula:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers