Paul Bijnens <paul.bijnens AT xplanation DOT com> writes:

> Greg Troxel wrote:
> > d) Can an unauthorized party ask the server to retrieve backups?
> > I'm not the least bit comfortable with this; I don't run the recover
> > or indexing daemons.
> 
> This part works also using bsd-security.  The .amandahosts file
> works both ways.
> 
> The .amandahosts file on a client contains the host and username of
> amandaserver.  It is usually only one line on most clients:
>    server.nowhere.com   amanda
> 
> The .amandahosts file on the server contains usually the same line
> (because the server is a client of itself too).  And in addition to
> this, you can/need add a line for each client that needs to
> recover files.  That line usually needs to specify "root" as username,
> because you usually want the permissions and owners of files on the
> client to be correctly restored too.

It would be nice to have a different ACL file for client retrieval, so
that "retrieve backup" and "do backup of server" privs can be granted
separately.

It would be cool to have a way to specify limiting retrievals to the
host for which the backups are, i.e. clientN can only retrieve
clientN's backups.

Perhaps in the head branch where there is gss-api support amrecover
could authenticate/encrypt and have per-host and global retrieval
acls.

> When I need to restore on a client, I can uncomment the necessary line
> for a few minutes/hours.

That makes sense - good application of the Principle of Least Privilege.

> (*) real comments are actually not supported in the syntax of the file.
>      The program assumes the hostname is '#client1.nowhere.com'
>      which, if you control the DNS access on the server, does not
>      match any existing hostname.

It would be nice to add these; it would avoid having to analyze the
DNS situation to be comfortable.  But on NetBSD 2.99.15, ruserok(3)
does not seem to ignore lines with #.

-- 
        Greg Troxel <gdt AT ir.bbn DOT com>