Update

[bacula/docs] / docs / manual / security.tex

diff --git a/docs/manual/security.tex b/docs/manual/security.tex
index abe3bde9e97ada6c9d9dee4c7e31569f79f0c61c..726ab8e2ec400d41b85f224aca3aaab32e62f5a8 100644 (file)
--- a/docs/manual/security.tex
+++ b/docs/manual/security.tex
@@ -3,8 +3,9 @@
 
 \section*{Bacula Security Issues}
 \label{_ChapterStart14}
-\index[general]{Bacula Security Issues }
-\index[general]{Issues!Bacula Security }
+\index[general]{Bacula Security Issues}
+\index[general]{Security}
+\index[general]{Issues!Bacula Security}
 \addcontentsline{toc}{section}{Bacula Security Issues}
 
 \begin{itemize}
@@ -26,11 +27,11 @@
 \item If you are using the recommended ports 9101, 9102, and 9103, you  will
    probably want to protect these ports from external access  using a firewall
    and/or using tcp wrappers ({\bf etc/hosts.allow}).  
-\item Currently all data that is sent across the network is unencrypted.  As a
-   consequence, unless you use {\bf ssh} or {\bf stunnel} for  port forwarding,
-   it is not recommended to do a backup across an  insecure network (e.g. the
-   Internet). In a future version, we plan  to have {\bf ssl} encryption
-   built-in. 
+\item By default, all data that is sent across the network is unencrypted.
+   However, Bacula does support TLS (transport layer security) and can
+   encrypt transmitted data.  Please read the
+   \ilink{TLS (SSL) Communications Encryption}{CommEncryption}
+   section of this manual.
 \item You should ensure that the Bacula working directories are  readable and
    writable only by the Bacula daemons. 
 \item If you are using {\bf MySQL} it is not necessary for it to  run with
@@ -62,7 +63,7 @@ format tapes. The first problem you will have is to ensure that the
 hardware is still working some years down the road, and the second
 problem will be to ensure that the media will still be good, then 
 your OS must be able to interface to the device, and finally Bacula
-must be able to recogize old formats.  All the problems except the
+must be able to recognize old formats.  All the problems except the
 last are ones that we cannot solve, but by careful planning you can.
 
 Since the very beginning of Bacula (January 2000) until today (December
@@ -94,9 +95,12 @@ save you someday.
 
 
 \label{wrappers}
-subsection*{Configuring and Testing TCP Wrappers}
-index[general]{Configuring and Testing TCP Wrappers}
-addcontentsline{toc}{subsection}{Configuring and Testing TCP Wrappers}
+\subsection*{Configuring and Testing TCP Wrappers}
+\index[general]{Configuring and Testing TCP Wrappers}
+\index[general]{TCP Wrappers}
+\index[general]{Wrappers!TCP}
+\index[general]{libwrappers}
+\addcontentsline{toc}{subsection}{Configuring and Testing TCP Wrappers}
 
 TCP Wrappers are implemented if you turn them on when configuring
 ({\bf ./configure \verb:--:with-tcp-wrappers}). 
@@ -109,6 +113,12 @@ You must not use the {\bf twist} option in your {\bf
 /etc/hosts.allow} or it will terminate the Bacula daemon when a
 connection is refused.
 
+The exact name of the package you need loaded to build with TCP wrappers
+depends on the system.  For example,
+on SuSE, the TCP wrappers libraries needed to link Bacula are
+contained in the tcpd-devel package. On RedHat the package is named
+tcp\_wrappers.
+
 Dan Langille has provided the following information on configuring and
 testing TCP wrappers with Bacula. 
 
@@ -128,10 +138,10 @@ The libwrap code tries to avoid {\bf twist} if it runs in a resident process,
 but that test will not protect the first hosts\_access() call. This will
 result in the process (e.g. bacula-fd, bacula-sd, bacula-dir) being terminated
 if the first connection to their port results in the twist option being
-invoked. The potential, and I strees potential, exists for an attacker to
+invoked. The potential, and I stress potential, exists for an attacker to
 prevent the daemons from running. This situation is eliminated if your
-/etc/hosts.allow file contains an appropriate ruleset. The following example
-is sufficent: 
+/etc/hosts.allow file contains an appropriate rule set. The following example
+is sufficient: 
 
 \footnotesize
 \begin{verbatim}
@@ -144,12 +154,17 @@ undef-dir : ALL : deny
 \end{verbatim}
 \normalsize
 
-You must adjust the daemon names to those found in the respective daemon
-configuration files. In these examples, the Director is undef-dir, the
+You must adjust the names to be the same as the Name directives found
+in each of the daemon configuration files. They are, in general, not the
+same as the binary daemon names. It is not possible to use the 
+daemon names because multiple daemons may be running on the same machine
+but with different configurations.
+
+In these examples, the Director is undef-dir, the
 Storage Daemon is undef-sd, and the File Daemon is undef-fd. Adjust to suit
 your situation. The above example rules assume that the SD, FD, and DIR all
 reside on the same box. If you have a remote FD client, then the following
-ruleset on the remote client will suffice: 
+rule set on the remote client will suffice: 
 
 \footnotesize
 \begin{verbatim}
@@ -247,7 +262,7 @@ looked like on my FreeBSD laptop:
 
 \footnotesize
 \begin{verbatim}
-bacula:*:1002:1002::0:0:Bacul Daemon:/var/db/bacula:/sbin/nologin
+bacula:*:1002:1002::0:0:Bacula Daemon:/var/db/bacula:/sbin/nologin
 \end{verbatim}
 \normalsize