Re: [BackupPC-users] BackupPC CGI interface and Plesk
I wrote earlier: Les Mikesell wrote: I'm guessing here, but I'd expect re-installing backuppc with the user plesk wants to force (or carefully changing ownership and the startup scripts) and removing the setuid mode would work. I'll try messing with it some more. Maybe I should indeed just use the user Plesk created instead of the backuppc user. Today I went ahead and reinstalled using the user I created through Plesk for the vhost. I chmodded BackupPC_Admin 750 as setuid is not needed (since Plesk uses suexec by default) and behold: it works! I could have recreated the vhost in Plesk and named the user backuppc, but oh well. Off to configure my hosts... :o) Thanks, Nils Breunese. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] BackupPC CGI interface and Plesk
Hello Peter, Hey, It may be too late for this because it looks like you already got things working using Plesk. Not sure if you ran across this in your search, but a while back I wrote some docs for setting up backuppc using suexec *instead* of sperl, which allows you to avoid all those workarounds like running apache as backuppc user, etc. http://moderndoorbells.com/backuppc (skip ahead to step 3 for suexec stuff) I read your post on the list today and took a look at it. At that moment I nearly had everything working, so I didn't really use it. My final setup is not that hard actually. Plesk uses suexec for Perl on every vhost by default, I just had to install backuppc to run as the user I created for the vhost. Then you also don't need the setuid bit on BackupPC_Admin anymore. I think the BackupPC documentation should promote the use of suexec instead of sperl. I have heard that suexec is more secure anyway. But for some reason everyone seems to be stuck on sperl. Why would it be more secure? I do agree that on a vanilla system the setuid way seems the easiest to setup. Please let me know if my soluton is similar to what you came up with. Possibly we should get together and create a more platform independent doc for using suexec with backuppc. Well, I guess my solution is not very platform independent. Plesk even uses a patched version of suexec I believe and I installed backuppc on a CentOS 4 system, with all dependencies installed using rpms. Only backuppc itself was not an rpm. Nils Breunese. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] BackupPC CGI interface and Plesk
Les Mikesell wrote: Maybe the Plesk way of doing things would be to change the backuppc user (and ownership of everything related) to match the lemonbitbackup user that Plesk created. Is this supposed to be something that saves you time...? Security software, like suexec, is almost never supposed to be something that saves you time, right? Well, in the long run, yes, because when setup properly it will save you a lot of time fixing stuff. Shared hosting environments are jungles and I actually think things like suexec are great. I've never had any problems with CGI scripts and suexec. It always just worked out of the box. Installing BackupPC was the first time I had to setuid a CGI script for a parcticular user that is not the site user and now I can't seem to get it to work. Which would be a pity, because BackupPC seems like it would be perfect for my needs. Nils Breunese. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] BackupPC CGI interface and Plesk
On Thu, 2006-06-08 at 18:51 +0200, Nils Breunese (Lemonbit Internet) wrote: Maybe the Plesk way of doing things would be to change the backuppc user (and ownership of everything related) to match the lemonbitbackup user that Plesk created. Is this supposed to be something that saves you time...? Security software, like suexec, is almost never supposed to be something that saves you time, right? Well, in the long run, yes, because when setup properly it will save you a lot of time fixing stuff. Sounds like a typical policy vs. reality issue. You can scale things up by following a specific policy and repeating procedures - until you want something different. Then you can't. Shared hosting environments are jungles and I actually think things like suexec are great. I've never had any problems with CGI scripts and suexec. It always just worked out of the box. Installing BackupPC was the first time I had to setuid a CGI script for a parcticular user that is not the site user and now I can't seem to get it to work. Which would be a pity, because BackupPC seems like it would be perfect for my needs. Backuppc's only requirement is that the cgi program runs as the user that owns the rest of it's files. If you already have a mechanism to make that happen, use it instead of one that has its own policy. I'm guessing here, but I'd expect re-installing backuppc with the user plesk wants to force (or carefully changing ownership and the startup scripts) and removing the setuid mode would work. Otherwise, fire up a separate instance of httpd on a different port so you don't have to fight with the other one. Or, if you can trust Plesk not to undo your mods, either make the Suexec user the one you want, or remove it and let the perlsuid version take care of it. -- Les Mikesell [EMAIL PROTECTED] ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] BackupPC CGI interface and Plesk
Les Mikesell wrote: I'm guessing here, but I'd expect re-installing backuppc with the user plesk wants to force (or carefully changing ownership and the startup scripts) and removing the setuid mode would work. I'll try messing with it some more. Maybe I should indeed just use the user Plesk created instead of the backuppc user. Otherwise, fire up a separate instance of httpd on a different port so you don't have to fight with the other one. I heard a lot people give that suggestion, but I haven't been able to find out how to do actually do that. Any pointers (this is a CentOS 4.3 system with apache2)? Thanks again, Nils Breunese. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
Re: [BackupPC-users] BackupPC CGI interface and Plesk
On Thu, 2006-06-08 at 19:59 +0200, Nils Breunese (Lemonbit Internet) wrote: I'll try messing with it some more. Maybe I should indeed just use the user Plesk created instead of the backuppc user. Otherwise, fire up a separate instance of httpd on a different port so you don't have to fight with the other one. I heard a lot people give that suggestion, but I haven't been able to find out how to do actually do that. Any pointers (this is a CentOS 4.3 system with apache2)? First you would build a suitable httpd.conf file setting it to listen on a different port and being careful about what else it includes to avoid conflicts with the stock version. Then you make a link to the httpd binary with a different name. Then copy /etc/init.d/httpd to a file with a different name and edit the copy to reference your linked name instead of httpd for the executable, pid file, etc. and to set '-f new_httpd.conf' in OPTIONS. chkconfig, service etc., will then all work with your new name for the other instance and when it starts it will use your modified config file. But, this is probably overkill for this purpose unless you need the speed of mod_perl. There has to be a way to make the stock version do what you want. -- Les Mikesell [EMAIL PROTECTED] ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/