- SECURITY: limit access to bat.conf to user root and bacula group only. This file

contains a password which gives full access to the backup server (this could be
used to destroy all backups and even all data on the client machines). Tray
monitor is not affected, as it used different credentials with lower
privileges.
- move bat executable to %{_bindir}, as it can be used by users too

Changed files:
    bacula-desktop.patch -> 1.2
    bacula.spec -> 1.132

diff --git a/bacula-desktop.patch b/bacula-desktop.patch
index c52af84fc67ef0273807fe4e29714d8bfde1d4bf..dfa2973ab709dc31f4eabdf02ddb03aa8ac7b8d1 100644 (file)
--- a/bacula-desktop.patch
+++ b/bacula-desktop.patch
@@ -6,7 +6,8 @@
  Comment=Bacula Director Console
 -Icon=/usr/share/pixmaps/bat_icon.png
 +Icon=bacula
- Exec=@sbindir@/bat -c @sysconfdir@/bat.conf
+-Exec=@sbindir@/bat -c @sysconfdir@/bat.conf
++Exec=@bindir@/bat -c @sysconfdir@/bat.conf
  Terminal=false
  Type=Application
  Encoding=UTF-8

diff --git a/bacula.spec b/bacula.spec
index ed4d3e951df8c374546e2752d18a1f63bef434a5..45702285b816862c4e8ecf7cd5a428378b708922 100644 (file)
--- a/bacula.spec
+++ b/bacula.spec
@@ -574,7 +574,7 @@ sed -e 's/gnome-console/wx-console/g;s/Console/Wx Console/g' \
 %endif
 
 %if %{with bat}
-install src/qt-console/.libs/bat $RPM_BUILD_ROOT%{_sbindir}
+install src/qt-console/.libs/bat $RPM_BUILD_ROOT%{_bindir}
 install scripts/bat.desktop $RPM_BUILD_ROOT%{_desktopdir}
 %endif
 
@@ -972,8 +972,10 @@ fi
 %doc LICENSE
 %{_pixmapsdir}/%{name}.png
 %{_desktopdir}/bat.desktop
-%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/bat.conf
-%attr(755,root,root) %{_sbindir}/bat
+# Do not make this file world-readable or any user will get full access to the
+# backup system 
+%attr(640,root,bacula) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/bat.conf
+%attr(755,root,root) %{_bindir}/bat
 %{_mandir}/man1/bat.1*
 %{_docdir}/%{name}
 %endif