General Considerations

Important

Security means being able to restore your files, so read the Critical Items Chapter chapter.

  • The Clients (bacula-fd) must run as root to be able to access all the system files.

  • It is not necessary to run the Director as root.

  • It is not necessary to run the Storage daemon as root, but you must ensure that it can open the tape drives, which are often restricted to root access by default. In addition, if you do not run the Storage daemon as root, it will not be able to automatically set your tape drive parameters on most OSes since these functions, unfortunately require root access.

  • You should restrict access to the Bacula configuration files, so that the passwords are not world-readable. The Bacula daemons are password protected using CRAM-MD5 (i.e. the password is not sent across the network). This will ensure that not everyone can access the daemons. It is a reasonably good protection, but can be cracked by experts.

  • If you are using the recommended ports 9101, 9102, and 9103, you will probably want to protect these ports from external access using a firewall and/or using tcp wrappers (etc/hosts.allow).

  • By default, all data that is sent across the network is encrypted. Read the TLS (SSL) Communications Encryption section.

  • You should ensure that the Bacula working directories are readable and writable only by the Bacula daemons.

  • If you are using MySQL it is not necessary for it to run with root permission.

  • The default Bacula grant-mysql-permissions script grants all permissions to use the database without a password. It is recommended to change that.

  • Mind that Bacula is a network program, so anyone anywhere on the network with the console program and the Director’s password can access Bacula and the backed up data.

  • You can restrict what IP addresses Bacula will bind to by using the appropriate DirAddress, FDAddress, or SDAddress records in the respective daemon configuration files.

  • Be aware that if you are backing up your database using the default script, if you have a password on your database, it will be passed as a command line option to that script, and any user will be able to see this information. If you want it to be secure, you will need to pass it by an environment variable or a secure file.

Note

For more details, read Backing Up Your Bacula Database - Security Considerations.

See also

Go to:

Go back to the Protection chapter.

Go back to the Bacula Enterprise Security and Threat Analysis chapter.