From 8ab42d0bbc0e7da1d47e0660934d8b46be04a639 Mon Sep 17 00:00:00 2001
From: Kern Sibbald <kern@sibbald.com>
Date: Mon, 22 Oct 2007 21:47:58 +0000
Subject: [PATCH] kes  Add a security warning to
 src/cats/make_catalog_backup.in indicating      that passing the password via
 the command line (arg 3) is insecure.      This responds to bug #990 (it
 doesn't fix it).

git-svn-id: https://bacula.svn.sourceforge.net/svnroot/bacula/branches/Branch-2.2@5779 91ce42f0-d328-0410-95d8-f526ca767f89
---
 bacula/src/cats/make_catalog_backup.in | 8 ++++++--
 bacula/technotes-2.1                   | 3 +++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/bacula/src/cats/make_catalog_backup.in b/bacula/src/cats/make_catalog_backup.in
index 18c2821608..98b1ae3387 100755
--- a/bacula/src/cats/make_catalog_backup.in
+++ b/bacula/src/cats/make_catalog_backup.in
@@ -8,7 +8,11 @@
 #  $2 is the user name with which to access the database
 #     (default = bacula).
 #  $3 is the password with which to access the database or "" if no password
-#     (default "")
+#     (default ""). WARNING!!! Passing the password via the command line is 
+#     insecure and should not be used since any user can display the command 
+#     line arguments and the environment using ps.  Please consult your
+#     MySQL or PostgreSQL manual for secure methods of specifying the
+#     password.
 #  $4 is the host on which the database is located
 #     (default "")
 #
@@ -31,7 +35,7 @@ else
     else
       MYSQLHOST=""
     fi
-    ${BINDIR}/mysqldump -u $2$MYSQLPASSWORD$MYSQLHOST -f --opt $1 >$1.sql
+    ${BINDIR}/mysqldump -u ${2}${MYSQLPASSWORD}${MYSQLHOST} -f --opt $1 >$1.sql
   else			      
     if test xpostgresql = x@DB_TYPE@ ; then
       if test $# -gt 2; then
diff --git a/bacula/technotes-2.1 b/bacula/technotes-2.1
index bde12ccc32..6f1ef247f5 100644
--- a/bacula/technotes-2.1
+++ b/bacula/technotes-2.1
@@ -2,6 +2,9 @@
 
 General:
 22Oct07
+kes  Add a security warning to src/cats/make_catalog_backup.in indicating
+     that passing the password via the command line (arg 3) is insecure.
+     This responds to bug #990 (it doesn't fix it).
 kes  Apply 2.2.5-postgresql-errors.patch
 kes  Remove unneeded File table index on JobId, which is already
      present as the first index of another multi-index.
-- 
2.39.5