[wplug] FreeBSD tar and operator group permissions
Tom Rhodes
trhodes at FreeBSD.org
Thu Jun 19 21:29:22 EDT 2008
On Thu, 19 Jun 2008 15:18:14 -0400 (EDT)
"Larry Daberko" <larry at daberko.com> wrote:
> Thanks Tom. Those weren't the only directories, just a sample of the
> error messages among many other directories.
>
> I got a few things I'm trying with sudo. If I get it working, I'll post it.
>
> LBD
Depending on what, exactly, your security model is, you can
use sudo to give passwordless control over a utility, such
as a backup:
operator ALL=NOPASSWD: /usr/local/bin/backup
Where backup is a shell script that:
Spins up a hard disk,
mounts the hard disk,
writes a backup to it using tar,
spins down the hard disk.
It's just one of the methods I'm using. Good luck,
>
> > On Wed, 18 Jun 2008 15:35:10 -0400 (EDT)
> > larry at daberko.com wrote:
> >
> >> Since our FreeBSD list is gone, I'm posting this here.
> >>
> >> My workplace uses BackupPC for backing up Linux boxes. I tried to make
> >> FreeBSD work with it and am getting permission errors.
> >>
> >> I created a backuppc user, added it to the operator group. I also
> >> generated a ssh key and copied the public key to the backup server. The
> >> backup is done by doing rsync over ssh.
> >>
> >> I get these in the logs:
> >> Remote[1]: rsync: opendir "/var/audit" failed: Permission denied (13)
> >> Remote[1]: rsync: opendir "/var/backups" failed: Permission denied (13)
> >> Remote[1]: rsync: opendir "/var/crash" failed: Permission denied (13)
> >> etc etc
> >>
> >> Now, reading up on it, it appears that the operator group has read
> >> access
> >> to the *raw* disks, and not the files themselves. This would work
> >> better
> >> with dump?
> >>
> >> Am I correct?
> >>
> >> How can I fix it? I'd rather not have to give root access in order to
> >> backup the system.
> >
> > The /var/audit directory is specifically used for AUDIT support
> > in later FreeBSD systems. The /var/crash directory is for crash
> > dumps, of course, and backups contains a backup copy of the
> > password and group files (along with a few others).
> >
> > So if you really want to save core dumps, an empty audit
> > directory (if not using audit), and old copies of the password
> > files, I'm afraid you're stuck with being root for dealing
> > with these directories. The operator is not permitted to
> > access those specific directories.
> >
> > Two options come to mind. Using sudo and giving the user
> > elevated, passwordless permissions for the backup command
> > only, or by doing a dump.
> >
> > --
> > Tom Rhodes
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
> >
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
--
Tom Rhodes
More information about the wplug
mailing list