From 171c2945d3bac5070b43611424cd6348338b619b Mon Sep 17 00:00:00 2001 From: Joerg Steffens Date: Fri, 28 Jun 2019 16:54:46 +0200 Subject: [PATCH 1/3] docs: PAM, additional hints --- docs/manuals/source/Configuration/Console.rst | 2 +- docs/manuals/source/TasksAndConcepts/PAM.rst | 34 +++++++++++-------- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/docs/manuals/source/Configuration/Console.rst b/docs/manuals/source/Configuration/Console.rst index 6ec4f5518c5..fa3edcf4775 100644 --- a/docs/manuals/source/Configuration/Console.rst +++ b/docs/manuals/source/Configuration/Console.rst @@ -155,7 +155,7 @@ The following is an example of a :file:`bconsole.conf` file that can access seve Console { Name = restricted-user Password = "RUPASSWORD" - Director = MyDirector + Director = bareos-dir } Console { diff --git a/docs/manuals/source/TasksAndConcepts/PAM.rst b/docs/manuals/source/TasksAndConcepts/PAM.rst index bc15988158a..506e766533b 100644 --- a/docs/manuals/source/TasksAndConcepts/PAM.rst +++ b/docs/manuals/source/TasksAndConcepts/PAM.rst @@ -61,50 +61,56 @@ To enable PAM authentication two systems have to be configured. The PAM module i PAM Module ^^^^^^^^^^ -This is depending on the operating system and on the used pam module. For details read the manuals. The name of the service that has to be registered is "bareos". +This is depending on the operating system and on the used pam module. For details read the manuals. The name of the service that has to be registered is **bareos**. Fedora 28 example: : -.. code-block:: ini +.. code-block:: bareosconfig :caption: :file:`/etc/pam.d/bareos` - # check authorization auth required pam_unix.so +.. warning:: + + The |dir| runs as user **bareos**. However, some PAM modules require more priviliges. E.g. **pam_unix** requires access to the file :file:`/etc/shadow`, which is normally not permitted. Make sure you verify your system accordingly. + Bareos Console ^^^^^^^^^^^^^^ For PAM authentication a dedicated named console is used. Set the directive UsePamAuthentication=yes in the regarding Director-Console resource: -.. code-block:: ini +.. code-block:: bareosconfig :caption: :file:`bareos-dir.d/console/pam-console.conf` Console { - Name = "PamConsole" - Password = "Secretpassword" - UsePamAuthentication = yes + Name = "PamConsole" + Password = "Secretpassword" + UsePamAuthentication = yes } In the dedicated |bconsole| config use name and password according as to the |dir|: -.. code-block:: ini +.. code-block:: bareosconfig :caption: :file:`bconsole.conf` + Director { + ... + } + Console { - Name = "PamConsole" - Password = "Secretpassword" + Name = "PamConsole" + Password = "Secretpassword" } PAM User ^^^^^^^^ Users have limited access to commands and jobs. Therefore the appropriate rights should also be granted to PAM users. This is an example of a User resource (Bareos Director Configuration): -.. code-block:: ini - :caption: :file:`bareos-dir.d/console/pam-user.conf` +.. code-block:: bareosconfig + :caption: :file:`bareos-dir.d/user/a-pam-user.conf` User { Name = "a-pam-user" - Password = "" #unsed because authenticated by PAM + Password = "" # unsed because authenticated by PAM CommandACL = status, .status JobACL = *all* } - From 2506fd1273e428beafac104dca52b92a5a06d6c4 Mon Sep 17 00:00:00 2001 From: Joerg Steffens Date: Wed, 3 Jul 2019 10:58:30 +0200 Subject: [PATCH 2/3] bconsole: show error messages when connecting to the Director fails. --- core/src/console/console.cc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/core/src/console/console.cc b/core/src/console/console.cc index 2c2cca43de8..dd7a7df009f 100644 --- a/core/src/console/console.cc +++ b/core/src/console/console.cc @@ -1071,7 +1071,11 @@ int main(int argc, char* argv[]) BStringList response_args; UA_sock = ConnectToDirector(jcr, heart_beat, response_args, response_id); - if (!UA_sock) { return 1; } + if (!UA_sock) { + ConsoleOutput(_("Failed to connect to Director. Giving up.\n")); + TerminateConsole(0); + return 1; + } UA_sock->OutputCipherMessageString(ConsoleOutput); @@ -1079,17 +1083,21 @@ int main(int argc, char* argv[]) #if defined(HAVE_PAM) if (!ExaminePamAuthentication(use_pam_credentials_file, pam_credentials_filename)) { + ConsoleOutput(_("PAM authentication failed. Giving up.\n")); TerminateConsole(0); return 1; } response_args.clear(); if (!UA_sock->ReceiveAndEvaluateResponseMessage(response_id, response_args)) { + ConsoleOutput(_("PAM authentication failed. Giving up.\n")); TerminateConsole(0); return 1; } #else - Dmsg0(200, "This console does not have the pam feature\n"); + ConsoleOutput( + _("PAM authentication requested by Director, however this console " + "does not have this feature. Giving up.\n")); TerminateConsole(0); return 1; #endif /* HAVE_PAM */ From 2310a00bac00e124d31e7c8bfba36e96d5a50680 Mon Sep 17 00:00:00 2001 From: Joerg Steffens Date: Wed, 3 Jul 2019 12:18:29 +0200 Subject: [PATCH 3/3] systemtest: add bconsole-pam --- core/cmake/BareosFindAllLibraries.cmake | 2 + systemtests/CMakeLists.txt | 21 +++- systemtests/environment.in | 2 + .../bin/check_pam_exec_available.sh | 33 ++++++ .../tests/bconsole-pam/bin/pam_exec_check.sh | 75 +++++++++++++ .../bareos-dir.d/catalog/MyCatalog.conf.in | 8 ++ .../bareos-dir.d/client/bareos-fd.conf.in | 7 ++ .../etc/bareos/bareos-dir.d/console/pam.conf | 6 + .../bareos-dir.d/director/bareos-dir.conf.in | 27 +++++ .../bareos-dir.d/fileset/Catalog.conf.in | 11 ++ .../bareos-dir.d/fileset/SelfTest.conf.in | 11 ++ .../bareos-dir.d/job/RestoreFiles.conf.in | 11 ++ .../bareos-dir.d/job/backup-bareos-fd.conf.in | 5 + .../bareos-dir.d/jobdefs/DefaultJob.conf.in | 15 +++ .../bareos-dir.d/messages/Daemon.conf.in | 7 ++ .../bareos-dir.d/messages/Standard.conf.in | 7 ++ .../bareos-dir.d/pool/Differential.conf | 10 ++ .../etc/bareos/bareos-dir.d/pool/Full.conf | 10 ++ .../bareos/bareos-dir.d/pool/Incremental.conf | 10 ++ .../etc/bareos/bareos-dir.d/pool/Scratch.conf | 4 + .../bareos/bareos-dir.d/profile/operator.conf | 18 +++ .../bareos/bareos-dir.d/storage/File.conf.in | 8 ++ .../etc/bareos/bareos-dir.d/user/user1.conf | 6 + .../etc/bareos/bconsole-default.conf.in | 10 ++ .../bconsole-pam/etc/bareos/bconsole.conf.in | 16 +++ .../tests/bconsole-pam/etc/pam.d/bareos.in | 5 + systemtests/tests/bconsole-pam/etc/user1.cred | 2 + systemtests/tests/bconsole-pam/etc/user2.cred | 2 + systemtests/tests/bconsole-pam/testrunner | 105 ++++++++++++++++++ 29 files changed, 453 insertions(+), 1 deletion(-) create mode 100755 systemtests/tests/bconsole-pam/bin/check_pam_exec_available.sh create mode 100755 systemtests/tests/bconsole-pam/bin/pam_exec_check.sh create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/console/pam.conf create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Daemon.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Standard.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Differential.conf create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Full.conf create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Incremental.conf create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Scratch.conf create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/profile/operator.conf create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/storage/File.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user1.conf create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bconsole-default.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/bareos/bconsole.conf.in create mode 100644 systemtests/tests/bconsole-pam/etc/pam.d/bareos.in create mode 100644 systemtests/tests/bconsole-pam/etc/user1.cred create mode 100644 systemtests/tests/bconsole-pam/etc/user2.cred create mode 100755 systemtests/tests/bconsole-pam/testrunner diff --git a/core/cmake/BareosFindAllLibraries.cmake b/core/cmake/BareosFindAllLibraries.cmake index a94ead1ccfa..b7708845a57 100644 --- a/core/cmake/BareosFindAllLibraries.cmake +++ b/core/cmake/BareosFindAllLibraries.cmake @@ -75,6 +75,8 @@ BareosFindLibrary("gtest") BareosFindLibrary("gtest_main") BareosFindLibrary("gmock") +BareosFindLibrary("pam_wrapper") + if (${HAVE_CAP}) SET(HAVE_LIBCAP 1) endif() diff --git a/systemtests/CMakeLists.txt b/systemtests/CMakeLists.txt index d1369ba081d..71c62b0f72c 100644 --- a/systemtests/CMakeLists.txt +++ b/systemtests/CMakeLists.txt @@ -157,7 +157,6 @@ foreach(CURRENT_FILE ${ALL_FILES}) # MESSAGE(STATUS "moved ${scripts}/${TARGET_FILE}") endforeach() - set(tests_dir ${PROJECT_BINARY_DIR}/tests) set(SYSTEM_TESTS backup-bareos-test @@ -170,6 +169,26 @@ set(SYSTEM_TESTS copy-remote-bscan ) +IF(PAM_WRAPPER_LIBRARIES) + find_program(PAMTESTER pamtester) + IF(PAMTESTER) + set(ENV{PAM_WRAPPER_LIBRARIES} "${PAM_WRAPPER_LIBRARIES}") + execute_process( + COMMAND "${CMAKE_BINARY_DIR}/systemtests/tests/bconsole-pam/bin/check_pam_exec_available.sh" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}/systemtests/tests/bconsole-pam/" + RESULT_VARIABLE PAM_EXEC_AVAILABLE_RC + ) + IF(${PAM_EXEC_AVAILABLE_RC} EQUAL "0") + set(PAM_EXEC_FOUND TRUE) + list(APPEND SYSTEM_TESTS "bconsole-pam") + ENDIF() + + MESSAGE( STATUS "PAM_EXEC_FOUND: " ${PAM_EXEC_FOUND} ) + + ENDIF() +ENDIF() + + set(BASEPORT 42001) foreach(TEST_NAME ${SYSTEM_TESTS}) diff --git a/systemtests/environment.in b/systemtests/environment.in index 61c111d61bf..89bd24fc5ed 100644 --- a/systemtests/environment.in +++ b/systemtests/environment.in @@ -54,3 +54,5 @@ export tmp export db_name=@db_name@ export db_password=@db_password@ export db_user=@db_user@ + +export PAM_WRAPPER_LIBRARIES=@PAM_WRAPPER_LIBRARIES@ diff --git a/systemtests/tests/bconsole-pam/bin/check_pam_exec_available.sh b/systemtests/tests/bconsole-pam/bin/check_pam_exec_available.sh new file mode 100755 index 00000000000..6102414bed7 --- /dev/null +++ b/systemtests/tests/bconsole-pam/bin/check_pam_exec_available.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +# +# Verify that our test pam configuration works. +# It uses +# * pam_wrapper to redirect PAM to our test environemnt, using a specific service file +# * pamtester to test PAM without the need to run Bareos +# * pam_exec.so is defined in the bareos PAM service file. +# It is configured to accept all logins where USERNAME = PASSWORD. +# + +set -e +set -u + +export PAM_WRAPPER=1 +export PAM_WRAPPER_SERVICE_DIR=etc/pam.d/bareos + +if ! [ -e "${PAM_WRAPPER_SERVICE_DIR}" ]; then + echo "PAM service file ${PAM_WRAPPER_SERVICE_DIR} not found" + exit 1 +fi + +# DEBUG +#export PAM_WRAPPER_DEBUGLEVEL=4 + +# PAM_WRAPPER creates extra environments in /tmp/pam.*/ + +# PAM_WRAPPER_LIBRARIES will be set my cmake +USERNAME="user" +PASSWORD="user" +echo "$PASSWORD" | LD_PRELOAD=${PAM_WRAPPER_LIBRARIES} pamtester bareos "$USERNAME" authenticate + +exit $? diff --git a/systemtests/tests/bconsole-pam/bin/pam_exec_check.sh b/systemtests/tests/bconsole-pam/bin/pam_exec_check.sh new file mode 100755 index 00000000000..8c59a9e4c99 --- /dev/null +++ b/systemtests/tests/bconsole-pam/bin/pam_exec_check.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +# auth optional pam_exec.so expose_authtok debug log=/tmp/pam.log /usr/bin/sc_pam_wlan.sh + +# called by: +# auth optional pam_exec.so expose_authtok /usr/bin/sc_pam_wlan.sh + +# pam_exec options: +# debug +# expose_authtok +# During authentication the calling command can read the password from stdin(3). +# (PAM_TYPE=auth only) +# log=file +# The output of the command is appended to file +# type=type +# Only run the command if the module type matches the given type. +# stdout +# Per default the output of the executed command is written to /dev/null. +# With this option, the stdout output of the executed command is redirected +# to the calling application. +# It's in the responsibility of this application what happens with the output. +# The log option is ignored. +# quiet +# Per default pam_exec.so will echo the exit status of the external command +# if it fails. Specifying this option will suppress the message. +# seteuid +# Per default pam_exec.so will execute the external command +# with the real user ID of the calling process. +# Specifying this option means the command is run with the effective user ID. + +# PAM_TYPE: +# "auth" +# ... +# "open_session" +# "close_session" + +RC_OK=0 +RC_SKIP=1 +RC_NOK=2 + +echo "$0" +#echo "current user: $USER ($UID)" + +if [ "$PAM_TYPE" != "auth" ]; then + echo "only pam type auth supported, not $PAM_TYPE" + exit $RC_SKIP +fi + +echo "PAM settings:" +echo "User: $PAM_USER" +echo "Ruser: $PAM_RUSER" +echo "Rhost: $PAM_RHOST" +echo "Service: $PAM_SERVICE" +echo "TTY: $PAM_TTY" + +USERNAME="$PAM_USER" +# This does not work in PAM environment +# if [ -z "$PAM_USER" ]; then +# read -p "PE Login: " USERNAME +# fi + + +read -p "PE Passwort: " PASSWORD + + +if [ "$USERNAME" = "$PASSWORD" ]; then + echo "grant access for $USERNAME" + RC=$RC_OK +else + echo "deny access for $USERNAME" + RC=$RC_NOK +fi + +exit $RC + diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in new file mode 100644 index 00000000000..479bc6fecbb --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in @@ -0,0 +1,8 @@ +Catalog { + Name = MyCatalog + #dbdriver = "@DEFAULT_DB_TYPE@" + dbdriver = "XXX_REPLACE_WITH_DATABASE_DRIVER_XXX" + dbname = "@db_name@" + dbuser = "@db_user@" + dbpassword = "@db_password@" +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in new file mode 100644 index 00000000000..470ca702035 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in @@ -0,0 +1,7 @@ +Client { + Name = bareos-fd + Description = "Client resource of the Director itself." + Address = localhost + Password = "@fd_password@" # password for FileDaemon + FD PORT = @fd_port@ +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/console/pam.conf b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/console/pam.conf new file mode 100644 index 00000000000..cf155a522f0 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/console/pam.conf @@ -0,0 +1,6 @@ +Console { + Name = "PamConsole" + Password = "secret" + UsePamAuthentication = yes +} + diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in new file mode 100644 index 00000000000..5546d140d72 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in @@ -0,0 +1,27 @@ +Director { # define myself + Name = bareos-dir + QueryFile = "@scriptdir@/query.sql" + Maximum Concurrent Jobs = 10 + Password = "@dir_password@" # Console password + Messages = Daemon + Auditing = yes + + # Enable the Heartbeat if you experience connection losses + # (eg. because of your router or firewall configuration). + # Additionally the Heartbeat can be enabled in bareos-sd and bareos-fd. + # + # Heartbeat Interval = 1 min + + # remove comment in next line to load dynamic backends from specified directory + Backend Directory = @backenddir@ + + # remove comment from "Plugin Directory" to load plugins from specified directory. + # if "Plugin Names" is defined, only the specified plugins will be loaded, + # otherwise all director plugins (*-dir.so) from the "Plugin Directory". + # + # Plugin Directory = "@plugindir@" + # Plugin Names = "" + Working Directory = "@working_dir@" + Pid Directory = "@piddir@" + DirPort = @dir_port@ +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in new file mode 100644 index 00000000000..c7cdc433fe1 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in @@ -0,0 +1,11 @@ +FileSet { + Name = "Catalog" + Description = "Backup the catalog dump and Bareos configuration files." + Include { + Options { + signature = MD5 + } + File = "@working_dir@/@db_name@.sql" # database dump + File = "@confdir@" # configuration + } +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in new file mode 100644 index 00000000000..ba39719ea3f --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in @@ -0,0 +1,11 @@ +FileSet { + Name = "SelfTest" + Description = "fileset just to backup some files for selftest" + Include { + Options { + Signature = MD5 # calculate md5 checksum per file + } + #File = "@sbindir@" + File=<@tmpdir@/file-list + } +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in new file mode 100644 index 00000000000..89256864d9a --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in @@ -0,0 +1,11 @@ +Job { + Name = "RestoreFiles" + Description = "Standard Restore template. Only one such job is needed for all standard Jobs/Clients/Storage ..." + Type = Restore + Client = bareos-fd + FileSet = SelfTest + Storage = File + Pool = Incremental + Messages = Standard + Where = @tmp@/bareos-restores +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in new file mode 100644 index 00000000000..ca1891f9620 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in @@ -0,0 +1,5 @@ +Job { + Name = "backup-bareos-fd" + JobDefs = "DefaultJob" + Client = "bareos-fd" +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in new file mode 100644 index 00000000000..563126477c9 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in @@ -0,0 +1,15 @@ +JobDefs { + Name = "DefaultJob" + Type = Backup + Level = Incremental + Client = bareos-fd + FileSet = "SelfTest" + Storage = File + Messages = Standard + Pool = Incremental + Priority = 10 + Write Bootstrap = "@working_dir@/%c.bsr" + Full Backup Pool = Full # write Full Backups into "Full" Pool + Differential Backup Pool = Differential # write Diff Backups into "Differential" Pool + Incremental Backup Pool = Incremental # write Incr Backups into "Incremental" Pool +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Daemon.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Daemon.conf.in new file mode 100644 index 00000000000..cf6a8cfa1e2 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Daemon.conf.in @@ -0,0 +1,7 @@ +Messages { + Name = Daemon + Description = "Message delivery for daemon messages (no job)." + console = all, !skipped, !saved, !audit + append = "@logdir@/bareos.log" = all, !skipped, !audit + append = "@logdir@/bareos-audit.log" = audit +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Standard.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Standard.conf.in new file mode 100644 index 00000000000..b3556ba8c23 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Standard.conf.in @@ -0,0 +1,7 @@ +Messages { + Name = Standard + Description = "Reasonable message delivery -- send most everything to email address and to the console." + console = all, !skipped, !saved, !audit + append = "@logdir@/bareos.log" = all, !skipped, !saved, !audit + catalog = all, !skipped, !saved, !audit +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Differential.conf b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Differential.conf new file mode 100644 index 00000000000..25ce24821ab --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Differential.conf @@ -0,0 +1,10 @@ +Pool { + Name = Differential + Pool Type = Backup + Recycle = yes # Bareos can automatically recycle Volumes + AutoPrune = yes # Prune expired volumes + Volume Retention = 90 days # How long should the Differential Backups be kept? (#09) + Maximum Volume Bytes = 10G # Limit Volume size to something reasonable + Maximum Volumes = 100 # Limit number of Volumes in Pool + Label Format = "Differential-" # Volumes will be labeled "Differential-" +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Full.conf b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Full.conf new file mode 100644 index 00000000000..867fc66b483 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Full.conf @@ -0,0 +1,10 @@ +Pool { + Name = Full + Pool Type = Backup + Recycle = yes # Bareos can automatically recycle Volumes + AutoPrune = yes # Prune expired volumes + Volume Retention = 365 days # How long should the Full Backups be kept? (#06) + Maximum Volume Bytes = 50G # Limit Volume size to something reasonable + Maximum Volumes = 100 # Limit number of Volumes in Pool + Label Format = "Full-" # Volumes will be labeled "Full-" +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Incremental.conf b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Incremental.conf new file mode 100644 index 00000000000..f4dbbab6650 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Incremental.conf @@ -0,0 +1,10 @@ +Pool { + Name = Incremental + Pool Type = Backup + Recycle = yes # Bareos can automatically recycle Volumes + AutoPrune = yes # Prune expired volumes + Volume Retention = 30 days # How long should the Incremental Backups be kept? (#12) + Maximum Volume Bytes = 1G # Limit Volume size to something reasonable + Maximum Volumes = 100 # Limit number of Volumes in Pool + Label Format = "Incremental-" # Volumes will be labeled "Incremental-" +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Scratch.conf b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Scratch.conf new file mode 100644 index 00000000000..3a489b19871 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Scratch.conf @@ -0,0 +1,4 @@ +Pool { + Name = Scratch + Pool Type = Scratch +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/profile/operator.conf b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/profile/operator.conf new file mode 100644 index 00000000000..6edd0166dca --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/profile/operator.conf @@ -0,0 +1,18 @@ +Profile { + Name = operator + Description = "Profile allowing normal Bareos operations." + + Command ACL = !.bvfs_clear_cache, !.exit, !.sql + Command ACL = !configure, !create, !delete, !purge, !prune, !sqlquery, !umount, !unmount + Command ACL = *all* + + Catalog ACL = *all* + Client ACL = *all* + FileSet ACL = *all* + Job ACL = *all* + Plugin Options ACL = *all* + Pool ACL = *all* + Schedule ACL = *all* + Storage ACL = *all* + Where ACL = *all* +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/storage/File.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/storage/File.conf.in new file mode 100644 index 00000000000..4058ddc7edc --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/storage/File.conf.in @@ -0,0 +1,8 @@ +Storage { + Name = File + Address = @hostname@ # N.B. Use a fully qualified name here (do not use "localhost" here). + Password = "@sd_password@" + Device = FileStorage + Media Type = File + SD Port = @sd_port@ +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user1.conf b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user1.conf new file mode 100644 index 00000000000..63a221e4512 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user1.conf @@ -0,0 +1,6 @@ +User { + Name = "user1" + Password = "" # unsed because authenticated by PAM + Profile = operator +} + diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bconsole-default.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bconsole-default.conf.in new file mode 100644 index 00000000000..ecb6ad00dce --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bconsole-default.conf.in @@ -0,0 +1,10 @@ +# +# Bareos User Agent (or Console) Configuration File +# + +Director { + Name = @basename@-dir + DIRport = @dir_port@ + address = @hostname@ + Password = "@dir_password@" +} diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bconsole.conf.in b/systemtests/tests/bconsole-pam/etc/bareos/bconsole.conf.in new file mode 100644 index 00000000000..889d33a6ed0 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/bareos/bconsole.conf.in @@ -0,0 +1,16 @@ +# +# Bareos User Agent (or Console) Configuration File +# + +Director { + Name = @basename@-dir + DIRport = @dir_port@ + address = @hostname@ + Password = "" +} + +Console { + Name = PamConsole + Password = "secret" +} + diff --git a/systemtests/tests/bconsole-pam/etc/pam.d/bareos.in b/systemtests/tests/bconsole-pam/etc/pam.d/bareos.in new file mode 100644 index 00000000000..2ec284b259a --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/pam.d/bareos.in @@ -0,0 +1,5 @@ +# +# PAM settings for service bareos. +# +auth required pam_exec.so expose_authtok debug quiet log=@PROJECT_BINARY_DIR@/tests/@TEST_NAME@/log/pam_exec_check.log @PROJECT_BINARY_DIR@/tests/@TEST_NAME@/bin/pam_exec_check.sh + diff --git a/systemtests/tests/bconsole-pam/etc/user1.cred b/systemtests/tests/bconsole-pam/etc/user1.cred new file mode 100644 index 00000000000..be0561ab305 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/user1.cred @@ -0,0 +1,2 @@ +user1 +user1 diff --git a/systemtests/tests/bconsole-pam/etc/user2.cred b/systemtests/tests/bconsole-pam/etc/user2.cred new file mode 100644 index 00000000000..6369d62eaa4 --- /dev/null +++ b/systemtests/tests/bconsole-pam/etc/user2.cred @@ -0,0 +1,2 @@ +user2 +wrongpassword diff --git a/systemtests/tests/bconsole-pam/testrunner b/systemtests/tests/bconsole-pam/testrunner new file mode 100755 index 00000000000..8c43f43dd77 --- /dev/null +++ b/systemtests/tests/bconsole-pam/testrunner @@ -0,0 +1,105 @@ +#!/bin/bash +# +# This test tests the bconsole against the bareos-dir using PAM authentication. +# +# Requires: +# on Debian following packages must be installed: +# libpam-modules (for pam_exec.so), +# libpam-wrapper, +# pamtester +# On Fedora, the names are similar: pam, pam-wrapper, pamtester. +# +# If they are not available, the test will be disabled by cmake. +# +# PAM is configured to accept all users where USERNAME = PASSWORD. +# +# Interactive PAM login in bconsole does not work, +# as the configured PAM module does not ask for the username. +# However, providing the PAM credentials to bconsole as file (bconsole -p CREDENTIALS_FILE) does work. +# +TestName="$(basename "$(pwd)")" +export TestName + +JobName=backup-bareos-fd +. ./environment +. ${scripts}/functions + +${scripts}/cleanup +${scripts}/setup + +# Directory to backup. +# This directory will be created by setup_data(). +BackupDirectory="${tmp}/data" + +# Use a tgz to setup data to be backuped. +# Data will be placed at "${tmp}/data/". +#setup_data + +start_test + +${scripts}/bareos-config initialize_database_driver + +export PAM_WRAPPER=1 +export PAM_WRAPPER_SERVICE_DIR=${current_test_directory}/etc/pam.d/bareos +# PAM_WRAPPER creates extra environments in /tmp/pam.*/ +# However, these are removed when bareos-dir daemonized. +# This settings keeps them all. +# Other workaround: don't let bareos-dir daemonize itself, +# but use foreground and ampersand (-f and &) +#export PAM_WRAPPER_KEEP_DIR=1 + +# PAM_WRAPPER_LIBRARIES has to set be cmake + +output=/dev/null +BAREOS_DIR_OPTIONS="" +if is_debug; then + export PAM_WRAPPER_DEBUGLEVEL=4 + BAREOS_DIR_OPTIONS="-d 200" + output=/dev/stdout +fi + +LD_PRELOAD=${PAM_WRAPPER_LIBRARIES} ${sbin}/bareos-dir -c etc/bareos -f ${BAREOS_DIR_OPTIONS} >$output 2>&1 & + +sleep 1 + +cat <$tmp/bconcmds +@$out $tmp/log1.out +status director +quit +END_OF_DATA + +if ! ${bin}/bconsole -c "${conf}" -p etc/user1.cred < $tmp/bconcmds >${tmp}/log1.out 2>${tmp}/err1.out; then + cat ${tmp}/log1.out + cat ${tmp}/err1.out + set_error "Failed to login as user user1." + exit 1 +fi + +if ! grep -q "Running Jobs:" ${tmp}/log1.out; then + cat ${tmp}/log1.out + set_error "Unexpected output in user1 session." + exit 1 +fi + +print_debug "OK: login as user1 succeeded." + +if ${bin}/bconsole -c "${conf}" -p etc/user2.cred < $tmp/bconcmds >${tmp}/log2.out 2>${tmp}/err2.out; then + cat ${tmp}/log2.out + cat ${tmp}/err2.out + set_error "Login as user user2 succeeded. This should NOT happen." + exit 1 +fi + +print_debug "OK: login as user2 failed." + +if ! ${scripts}/bareos-ctl-dir status >/dev/null; then + set_error "Director does not run anymore. This should not happen." + exit 1 +fi + + +#run_bareos +#check_for_zombie_jobs storage=File +stop_bareos > $output 2>&1 + +end_test