subject:"\[BackupPC\-users\] Backing up localhost \- permission question"

Re: [BackupPC-users] Backing up localhost - permission question

2007-04-15 Thread Holger Parplies

Hi,

Eric Snyder wrote on 14.04.2007 at 21:27:16 [Re: [BackupPC-users] Backing up 
localhost - permission question]:
> Carl Wilhelm Soderstrom wrote:
> > [...]
> > I also have this entry in /etc/sudoers:
> > backuppc ALL=NOPASSWD: /bin/tar 
> >
> > the suggestion to make that 
> > backuppc ALL=NOPASSWD: /bin/tar -c
> >
> > is a good one tho.
> Thanks. I have done everything and I get the folowing result:
> [..]
> Running: /usr/bin/env LC_ALL=C /usr/bin/sudo /usr/bin/tar -c -v -f - -C 
> /etc --totals .
> full backup started for directory /etc
> Xfer PIDs are now 2025,2024
> 
> We trust you have received the usual lecture from the local System
> Administrator. It usually boils down to these three things:
> [ skipped 3 lines ]
> Password:

that's sudo showing the 'first time lecture' and asking for a password,
meaning the line does not match one with the 'NOPASSWD' flag. If you
*exactly* followed Carl's post, then you'll have to replace '/bin/tar'
with '/usr/bin/tar' in /etc/sudoers (or change your $Conf{TarClientPath} to
'/bin/tar' instead of '/usr/bin/tar' if appropriate - one of those might be
a soft link to the other, which would probably let sudo be picky about which
you may execute and which you may not, meaning your line in /etc/sudoers and
your $Conf{TarClientPath} would have to match, even though it's the same
executable, really; if you only have tar in one of (/bin, /usr/bin), you'll
have to use that and adapt /etc/sudoers, obviously).

If in doubt, try it out by hand:

# su backuppc
% sudo /bin/tar -c -f /tmp/foo.tar name.of.a.small.file

That way you can more easily play around with the command and see what
happens.

Aside from that, '/usr/bin/env LC_ALL=C /usr/bin/sudo ...' may or may not do
what you want, because sudo is quite careful about which environment
variables it passes on and which it doesn't. You should really only need to
set LC_ALL if your system default language is not English, because BackupPC
expects messages from tar to be in English (though I'm not sure if an 'exotic'
character encoding might make it necessary to set LC_ALL even with English as
default language).

Regards,
Holger

-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
BackupPC-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

Re: [BackupPC-users] Backing up localhost - permission question

2007-04-14 Thread Eric Snyder

Carl Wilhelm Soderstrom wrote:
> Here's the localhost.pl file that I use.
>
> #
> # Local server backup of /etc as user backuppc
> #
> $Conf{XferMethod} = 'tar';
>
> $Conf{TarShareName} = ['/etc'];
>
> $Conf{TarClientCmd} = '/usr/bin/env LC_ALL=C /usr/bin/sudo $tarPath' 
> . ' -c -v -f - -C $shareName --totals';
>
> # let it back itself up anytime it wants to.
> $Conf{BlackoutPeriods} = [];
>
>
> I also have this entry in /etc/sudoers:
> backuppc ALL=NOPASSWD: /bin/tar 
>
> the suggestion to make that 
> backuppc ALL=NOPASSWD: /bin/tar -c
>
> is a good one tho.
>
>   
Thanks. I have done everything and I get the folowing result:
Contents of file /data/BackupPC/pc/slacker/XferLOG.bad.z, modified 
2007-04-14 21:20:47 (Extracting only Errors)

Running: /usr/bin/env LC_ALL=C /usr/bin/sudo /usr/bin/tar -c -v -f - -C 
/etc --totals .
full backup started for directory /etc
Xfer PIDs are now 2025,2024

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
[ skipped 3 lines ]
Password:
tarExtract: Done: 0 errors, 0 filesExist, 0 sizeExist, 0 sizeExistComp, 
0 filesTotal, 0 sizeTotal
Got fatal error during xfer (No files dumped for share /etc)
Backup aborted (No files dumped for share /etc)

My localhost.pl file is as follows:

$Conf{XferMethod} = 'tar';
$Conf{TarShareName} = [
  '/etc'
];
$Conf{TarClientCmd} = '/usr/bin/env LC_ALL=C /usr/bin/sudo $tarPath'
. ' -c -v -f - -C $shareName --totals';
$Conf{SmbShareName} = [
  'backupshare'
];
$Conf{SmbSharePasswd} = 'removed';
$Conf{SmbShareUserName} = 'removed';

-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
BackupPC-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

Re: [BackupPC-users] Backing up localhost - permission question

2007-04-12 Thread Carl Wilhelm Soderstrom


Here's the localhost.pl file that I use.

#
# Local server backup of /etc as user backuppc
#
$Conf{XferMethod} = 'tar';

$Conf{TarShareName} = ['/etc'];

$Conf{TarClientCmd} = '/usr/bin/env LC_ALL=C /usr/bin/sudo $tarPath' 
. ' -c -v -f - -C $shareName --totals';

# let it back itself up anytime it wants to.
$Conf{BlackoutPeriods} = [];


I also have this entry in /etc/sudoers:
backuppc ALL=NOPASSWD: /bin/tar 

the suggestion to make that 
backuppc ALL=NOPASSWD: /bin/tar -c

is a good one tho.

-- 
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
BackupPC-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

Re: [BackupPC-users] Backing up localhost - permission question

2007-04-11 Thread Holger Parplies

Hi,

Eric Snyder wrote on 11.04.2007 at 20:15:50 [[BackupPC-users] Backing up 
localhost - permission question]:
> I am setting up localhost to be backed up. In the help file at 
> http://backuppc.sourceforge.net/faq/localhost.html there is the 
> following blurb:
> 
> "Make sure this script and all parent directories have no write 
> permission. Then remove the -c from $Conf{TarClientCmd} 
> <http://backuppc.sourceforge.net/faq/BackupPC.html#item__conf_tarclientcmd_> 
> and change the tar path:"
> 
> Is this write permission for owner, group, others or all three?

whatever makes sense (see below :). The point is that anyone with write
permission to - and that's the important part - *either* script *or* *any*
parent directory would be able to replace the script by something of his/her
own creation, thus not only circumventing the supposed restriction (context:
limiting priviledges given to the BackupPC user through sudo), but rather
giving *anyone at all* with such write permission the possibility to run
*any command* as root, if he can only get BackupPC to run (his modified
version of) the script (i.e. initiate a backup or wait for a scheduled one).

Owner write permission is not something you can meaningfully remove since
the owner can chmod() a file/directory however he likes anyway (except
maybe on ext2/3 if you make the file/dir immutable ...).

This probably means that all parent directories and the script itself should
be *owned by root* and *not writeable* for group and others. Actually, I'd
recommend not using that approach at all. If I'm not completely mistaken
[read: it is documented and proves to work that way on Debian sarge ;-],
you can achieve the same with a sudoers line like

backuppc ALL = NOPASSWD: /bin/tar -c *

You just need to make sure you always pass the -c as first and separate
argument to tar (in $Conf{TarClientCmd}), as the following will all *not*
match, because in all cases the first argument to tar is not '-c':

/bin/tar -v -c ...
/bin/tar -cf ...
/bin/tar c -f ...

Note that automatic restores through the web interface will no longer work,
as BackupPC cannot initiate the TarClientRestoreCmd (tar -x).


Was your question related to the thread you are referencing
("BackupPC_link errors")?

Regards,
Holger

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

[BackupPC-users] Backing up localhost - permission question

2007-04-11 Thread Eric Snyder


Hello all:

I am setting up localhost to be backed up. In the help file at 
http://backuppc.sourceforge.net/faq/localhost.html there is the 
following blurb:


"Make sure this script and all parent directories have no write 
permission. Then remove the -c from $Conf{TarClientCmd} 
 
and change the tar path:"


Is this write permission for owner, group, others or all three?

Thanks,
Eric Snyder
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

Re: [BackupPC-users] Backing up localhost - permission question

Re: [BackupPC-users] Backing up localhost - permission question

Re: [BackupPC-users] Backing up localhost - permission question

Re: [BackupPC-users] Backing up localhost - permission question

[BackupPC-users] Backing up localhost - permission question

5 matches

Site Navigation

Mail list logo

Footer information