[wplug] FreeBSD tar and operator group permissions

Tom Rhodes trhodes at FreeBSD.org
Thu Jun 19 21:29:22 EDT 2008 

On Thu, 19 Jun 2008 15:18:14 -0400 (EDT)
"Larry Daberko" <larry at daberko.com> wrote:

> Thanks Tom.  Those weren't the only directories, just a sample of the
> error messages among many other directories.
> 
> I got a few things I'm trying with sudo.  If I get it working, I'll post it.
> 
> LBD

Depending on what, exactly, your security model is, you can
use sudo to give passwordless control over a utility, such
as a backup:

operator ALL=NOPASSWD: /usr/local/bin/backup

Where backup is a shell script that:

Spins up a hard disk,
mounts the hard disk,
writes a backup to it using tar,
spins down the hard disk.

It's just one of the methods I'm using.  Good luck,

> 
> > On Wed, 18 Jun 2008 15:35:10 -0400 (EDT)
> > larry at daberko.com wrote:
> >
> >> Since our FreeBSD list is gone, I'm posting this here.
> >>
> >> My workplace uses BackupPC for backing up Linux boxes.  I tried to make
> >> FreeBSD work with it and am getting permission errors.
> >>
> >> I created a backuppc user, added it to the operator group.  I also
> >> generated a ssh key and copied the public key to the backup server.  The
> >> backup is done by doing rsync over ssh.
> >>
> >> I get these in the logs:
> >> Remote[1]: rsync: opendir "/var/audit" failed: Permission denied (13)
> >> Remote[1]: rsync: opendir "/var/backups" failed: Permission denied (13)
> >> Remote[1]: rsync: opendir "/var/crash" failed: Permission denied (13)
> >> etc etc
> >>
> >> Now, reading up on it, it appears that the operator group has read
> >> access
> >> to the *raw* disks, and not the files themselves.  This would work
> >> better
> >> with dump?
> >>
> >> Am I correct?
> >>
> >> How can I fix it?  I'd rather not have to give root access in order to
> >> backup the system.
> >
> > The /var/audit directory is specifically used for AUDIT support
> > in later FreeBSD systems.  The /var/crash directory is for crash
> > dumps, of course, and backups contains a backup copy of the
> > password and group files (along with a few others).
> >
> > So if you really want to save core dumps, an empty audit
> > directory (if not using audit), and old copies of the password
> > files, I'm afraid you're stuck with being root for dealing
> > with these directories.  The operator is not permitted to
> > access those specific directories.
> >
> > Two options come to mind.  Using sudo and giving the user
> > elevated, passwordless permissions for the backup command
> > only, or by doing a dump.
> >
> > --
> > Tom Rhodes
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
> >
> 
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
> 


-- 
Tom Rhodes

More information about the wplug mailing list