On Mon, Jan 24, 2005 at 03:51:13PM -0500, Gene Heskett wrote:
> Now become 'amanda' and do an amcheck, which works just fine.
> Back out of that and become 'gene' and the permissions are denied, the 
> user gene, even though he built it, cannot run it.
> [...]
> So basicly it has to be run by whomever is set in the configuration, 
> but not by who built it.

That's my understanding.  Kind of makes sense.  And it's
certainly how the permissions are set up here:
    -rwsr-x---  1 root  operator  87183 Apr 23  2004 /usr/local/sbin/amcheck
(Our Amanda server is a FreeBSD box, on which group "operator"
serves the same function as "disk" on your machines.)

Amdump insists on being run by the Amanda user too (the file has
read and execute permission for everyone, but the script itself
checks).

> If I were to change that line in the 
> configuration, then I'd assume gene could run it, but not amanda.

I'd imagine so.  Of course, amcheck might get some errors, since
"gene" isn't in the "disk" group, and (hopefully) doesn't have
permission to write index, log, and tapelist files.  (If amcheck
didn't notice, amdump certainly would...)

> I'll leave it this way for now & see how it runs tonight.

Cool.  I'm looking forward to the results :-)

--

|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.        erics AT telepres DOT com
|  |  /
The animal that coils in a circle is the serpent; that's why so
many cults and myths of the serpent exist, because it's hard to
represent the return of the sun by the coiling of a hippopotamus.
        - Umberto Eco, "Foucault's Pendulum"