Security Considerations

  • Only the File daemon needs to run with root permission (so that it can access all files). As a consequence, you may run your Director, Storage daemon, and MySQL or PostgreSQL database server as non-root processes. There are -u and the -g options that allow you to specify a userid and groupid on the command line to be used after Bacula starts.

  • You should protect the Bacula port addresses (normally 9101, 9102, and 9103) from outside access by a firewall or other means of protection to prevent unauthorized use of your daemons.

  • You should ensure that the configuration files are not world readable since they contain passwords that allow access to the daemons. Anyone who can access the Director using a console program can restore any file from a backup Volume.

  • You should protect your Catalog database. Please note that the Bacula setup procedure leaves the database open to anyone. At a minimum, you should assign the user bacula a userid and add it to your Director’s configuration file in the appropriate Catalog resource.

  • If you use the make_catalog_backup script provided by Bacula, remember that you should take care when supplying passwords on the command line.

Go back to: Best Practices.