On Wednesday 04 September 2019 08:49:48 Nathan Stratton Treadway wrote: > On Wed, Sep 04, 2019 at 05:48:41 -0600, Charles Curley wrote: > > On Wed, 4 Sep 2019 07:02:58 -0400 > > > > Gene Heskett <[email protected]> wrote: > > > FAILURE DUMP SUMMARY: > > > picnc / lev 0 FAILED ["security file > > > '/etc/amanda-security.conf' do not allow to run '/usr/bin/tar' as > > > root for 'amgtar:gnutar_path'"] picnc /boot lev 0 FAILED > > > ["security file > > > '/etc/amanda-security.conf' do not allow to run '/usr/bin/tar' as > > > root for 'amgtar:gnutar_path'"] > > > > > > What is the official, it actually works fix? There is no amgtar in > > > the debian supplied packages. > > > > I don't know about official. But, based on your locating amgtar, I > > suggest you try > > > > amgtar:gnutar_path=/usr/lib/amanda/application/amgtar > > > > in your /etc/amanda-security.conf. Then use amcheck to verify. > > Actually this line isn't giving the path to the amgtar binary, but > rather is specifying the path to the GNU tar binary that amgtar is > allowed to invoke. (The point being that amgtar and its > program/application siblings are SUID root, so you need to carefully > restrict the binaries each one is allowed to invoke.) > > You can see from Gene's error messages that it's currently trying to > run "/usr/bin/tar" -- and that is what you would expect on a usrmerged > system. So he just needs to grant that permission (i.e. with a > amgtar:gnutar_path=/usr/bin/tar > line.)
And that apparently fixes it for amcheck. We'll see what happens tonight. > On a particular system that is already usrmerged (such as picnc is in > the above example) there isn't a need for the matching > amgtar:gnutar_path=/bin/tar > line... so I don't think Gene would need to add that line to the file > unless he were planning to share that same edited amanda-security.conf > file between usrmerged and un-usrmerged systems. Okay, but please explain this "usrmerged" B.S. to this old fart. I'm lost at the first corner as to both what it is, and the justification for doing whatever it is that they've done. I can imagine they want to separate the working $PATH between what root can see and use vs what the user can see and use. But since perms have already done that, albeit porously, I tend to look at such changes as changes for the hell of it to see what they can break. Breakage for that reason can never be justified according to grandpa Gene. On other question, why can I not "reply to list". Its a pita to have to copy/paste the list address into the blank To: line. > Nathan > > ---------------------------------------------------------------------- >------ Nathan Stratton Treadway - [email protected] - Mid-Atlantic > region Ray Ontko & Co. - Software consulting services - > http://www.ontko.com/ GPG Key: > http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key > fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 Copyright 2019 by Maurice E. Heskett Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/gene>
