Security Considerations

• Only the File daemon needs to run with root permission (so that it can access all files). As a consequence, you may run your Director, Storage daemon, and MySQL or PostgreSQL database server as non-root processes. There are -u and the -g options that allow you to specify a userid and groupid on the command line to be used after Bacula starts.

• You should protect the Bacula port addresses (normally 9101, 9102, and 9103) from outside access by a firewall or other means of protection to prevent unauthorized use of your daemons.

• You should ensure that the configuration files are not world readable since they contain passwords that allow access to the daemons. Anyone who can access the Director using a console program can restore any file from a backup Volume.

• You should protect your Catalog database. Please note that the Bacula setup procedure leaves the database open to anyone. At a minimum, you should assign the user bacula a userid and add it to your Director’s configuration file in the appropriate Catalog resource.

• If you use the make_catalog_backup script provided by Bacula, remember that you should take care when supplying passwords on the command line.

See also

Previous articles:

• Actions to Avoid

Next articles:

• Concurrent Jobs

• Software Compression

• Testing and Monitoring

• Reporting Issues

• Catalog Database Choice

• Items to Implement Before Production

Go back to: Best Practices.