BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BackupPC-users] Wake-on-LAN setup - no ping response

2015-03-15 15:58:18
Subject: Re: [BackupPC-users] Wake-on-LAN setup - no ping response
From: Holger Parplies <wbppc AT parplies DOT de>
To: Russ Russ <russ_kz AT mail DOT ru>, "General list for user discussion, questions and support" <backuppc-users AT lists.sourceforge DOT net>
Date: Sun, 15 Mar 2015 20:54:35 +0100 
Hi,

Russ Russ wrote on 2015-03-06 09:07:30 +0300 [[BackupPC-users] Wake-on-LAN 
setup - no ping response]:
> [...]
> I have backuppc server on Gentoo which works fine with regular client
> backups. Now I am configuring wake-on-lan to wake windows clients up before
> backup.
> [...]
> 3. Appropriate 777 rights have been granted to wolping.sh.

a=rwx is hardly appropriate. Actually, having 'others' being able to modify
the script is an attack waiting to happen. Anyone at all with access to the
machine can put anything they want into the script and just have to wait for
it to be executed by the BackupPC daemon with its associated privileges. That
is basically the same as giving anyone a free backuppc uid shell, including
full access to all backups and presumably root access to all client machines
you are backing up. Not necessarily a good idea ;-).

I don't believe BackupPC actually checks the permissions before executing the
PingCmd (or any other), but I wouldn't blame *anything* (BackupPC, Perl, bash,
kernel) for blandly refusing to execute a world-writable file as a general
security measure.

> This is output of ls ???l: 
> -rwxrwxrwx 1 backuppc backuppc 1246 12:00 wolping.sh

The ownership looks good enough, though 'root:root' might be more suitable,
now you just have to 'chmod go-w' it. And afterwards check it has not been
modified. We'll just assume no malicious party has the file opened for writing
across your chmod and review, but for the record I'll mention the theoretical
possibility.

Curious that your 'ls -l' output contains no date :-).

> 4. I have tested wolping.sh and it works great from terminal under backuppc
> user

Well, you use 'sudo'. You haven't by chance previously input a sudo password
in your terminal session? You are sure you are executing
/usr/local/bin/wolping.sh and not a different version of the script somewhere
in your path? ;-) What is the return code of the script when you execute it
from a shell? Your standard shell usually doesn't tell you if you don't ask
explicitly, but it might make a difference for BackupPC.

> Seems that backuppc does not even fire the script as ???logger??? does not
> appear in tail -f /var/log/messages

You should see more in BackupPC's log files.

I don't regularly use the 'logger' command, so I'm not familiar with its
intricacies. Is it not called, or does it fail to log, or does it log
somewhere else than you are looking? Does the command line invocation of
wolping.sh cause a log entry (in /var/log/messages)?

Looking at your script, I am wondering what your $Conf{PingCmd} looks like
(out of habit, I'd also like to see $Conf{PingPath}). It's obviously not the
default ('$pingPath -c 1 $host'), because you get your host name from $5:

> [...]
> WAKEHOST=$5
> [...]
> function fwol {
>          TO_WAKEUP=$1

(apparently never used)

>          sudo $ETHWAKE $1

I suppose you've got an entry similar to this in your /etc/sudoers:

backuppc ALL=NOPASSWD: /sbin/etherwake -i enp3s0 *

You use different invocations of the ping command - is that intentional?

> [...]
> $PING $ARG1 $ARG2 $ARG3 $ARG4 $WAKEHOST >>/dev/null 2>&1
> $PING $ARG1 $ARG2 $WAKEHOST
> $PING $ARG1 $ARG2 $ARG3 $ARG4 $WAKEHOST

Wouldn't it make more sense to control that in the script and call it with the
parameters that are truely variable, e.g.

        wolping.sh hostname interval

Your script is implying semantics for $ARG3 and $ARG4, so you can't really
configure PingCmd to use wolping.sh with arbitrary 'ping' switches (let alone
a variable number of them) in arbitrary order, as it might first appear. You
might also want to replace the sleep command with a fancy ping invocation to
be more adaptive to the time an individual host actually requires to boot. You
could experiment with something like

        ping -i 10 -c 18 -A -q hostname

which should wait at most 180 seconds (like your sleep command), probe your
host in 10 second intervals and terminate shortly after the host begins to
respond. That way, you could increase the tolerance (raise the -c argument) to
accomodate for slow hosts and yet not have to unnecessarily wait for a fixed
long time for fast hosts. Of course, you would also wait the maximum time for
hosts which simply fail to wake up.


Hope that helps.

Regards,
Holger

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BackupPC-users] Pluggable setup, Les Mikesell
Next by Date:  Re: [BackupPC-users] Config example for backing up linux host, local disk drive, Holger Parplies
Previous by Thread:  Re: [BackupPC-users] Outlook pst files backup, Michael Stowe
Next by Thread:  [BackupPC-users] Schedule full backup into weekends, Antonio Sanguigni
Indexes:  [Date] [Thread] [Top] [All Lists]