Inetd, Xinetd are not options for me to use on my solaris boxen. The
linux box has no problems running through netcat,and I use it for a
testing box for my installs. My question is about getting amandad to
run through netcat or something similiar, but not (x)inetd. I am pretty
sure that netcat works fine, as it runs well under linux and works in
conjunction w/ a shell on solaris. I am looking to test amandad [sudo
-u amanda(has root group perm to devices)] and be verbal about it. Here
is my amandad log:
amandad: debug 1 pid 27042 ruid 742 euid 742 start time Thu Aug 8
13:42:35 2002
amandad: version 2.4.2p2
amandad: build: VERSION="Amanda-2.4.2p2"
amandad: BUILT_DATE="Wed Aug 7 16:26:37 EDT 2002"
amandad: BUILT_MACH="SunOS grinch 5.8 Generic_108528-09 sun4u
sparc SUNW,
UltraAX-i2"
amandad: CC="gcc"
amandad: paths: bindir="/usr/local/bin" sbindir="/usr/local/sbin"
amandad: libexecdir="/usr/local/libexec" mandir="/usr/local/man"
amandad: AMANDA_TMPDIR="/tmp/amanda" AMANDA_DBGDIR="/tmp/amanda"
amandad: CONFIG_DIR="/usr/local/etc/amanda" DEV_PREFIX="/dev/dsk/"
amandad: RDEV_PREFIX="/dev/rdsk/" DUMP="/usr/sbin/ufsdump"
amandad: RESTORE="/usr/sbin/ufsrestore" GNUTAR="/usr/local/bin/tar"
amandad: COMPRESS_PATH="/usr/local/bin/gzip"
amandad: UNCOMPRESS_PATH="/usr/local/bin/gzip"
amandad: MAILER="/usr/bin/mailx"
amandad: listed_incr_dir="/usr/local/var/amanda/gnutar-lists"
amandad: defs: DEFAULT_SERVER="backup.localnet.sys"
amandad: DEFAULT_CONFIG="DailySet1"
amandad: DEFAULT_TAPE_SERVER="backup.localnet.sys"
amandad: DEFAULT_TAPE_DEVICE="/dev/null" HAVE_MMAP HAVE_SYSVSHM
amandad: LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE
amandad: AMANDA_DEBUG_DAYS=4 BSD_SECURITY USE_AMANDAHOSTS
amandad: CLIENT_LOGIN="amanda" FORCE_USERID HAVE_GZIP
amandad: COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast"
amandad: COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc"
got packet:
--------
Amanda 2.4 REQ HANDLE 001-309F0708 SEQ 1028829247
SECURITY USER amanda
SERVICE selfcheck
OPTIONS ;
GNUTAR c0t0d0s5 0 OPTIONS
|;bsd-auth;index;exclude-list=/usr/local/lib/amanda/ex
clude.gtar;
--------
sending ack:
----
Amanda 2.4 ACK HANDLE 001-309F0708 SEQ 1028829247
----
amandad: dgram_send_addr: sendto(TAPE_SERVER_IP_REMOVED.522) failed:
Transport endpoint
is already connected
bsd security: remote host "tapeserver FQDN" user amanda local user amanda
amandahosts security check passed
amandad: running service "/usr/local/libexec/selfcheck"
amandad: sending REP packet:
----
Amanda 2.4 REP HANDLE 001-309F0708 SEQ 1028829247
OPTIONS ;
OK /export/home
OK /usr/local/libexec/runtar executable
OK /usr/local/bin/tar executable
OK /etc/amandates read/writable
OK /usr/local/var/amanda/gnutar-lists/. read/writable
OK /dev/null read/writable
OK /tmp/amanda has more than 64 KB available.
OK /tmp/amanda has more than 64 KB available.
OK /etc has more than 64 KB available.
----
amandad: dgram_send_addr: sendto(TAPE_SERVER_IP_REMOVED.522) failed:
Transport endpoint
is already connected
amandad: got packet:
----
Amanda 2.4 REQ HANDLE 001-309F0708 SEQ 1028829247
SECURITY USER amanda
SERVICE selfcheck
OPTIONS ;
GNUTAR c0t0d0s5 0 OPTIONS
|;bsd-auth;index;exclude-list=/usr/local/lib/amanda/ex
clude.gtar;
----
amandad: It's not an ack
amandad: sending REP packet:
----
Amanda 2.4 REP HANDLE 001-309F0708 SEQ 1028829247
OPTIONS ;
OK /export/home
OK /usr/local/libexec/runtar executable
OK /usr/local/bin/tar executable
OK /etc/amandates read/writable
OK /usr/local/var/amanda/gnutar-lists/. read/writable
OK /dev/null read/writable
OK /tmp/amanda has more than 64 KB available.
OK /tmp/amanda has more than 64 KB available.
OK /etc has more than 64 KB available.
----
amandad: dgram_send_addr: sendto(TAPE_SERVER_IP_REMOVED.522) failed:
Transport endpoint
is already connected
amandad: got packet:
----
Amanda 2.4 REQ HANDLE 001-309F0708 SEQ 1028829247
SECURITY USER amanda
SERVICE selfcheck
OPTIONS ;
GNUTAR c0t0d0s5 0 OPTIONS
|;bsd-auth;index;exclude-list=/usr/local/lib/amanda/ex
clude.gtar;
----
amandad: It's not an ack
amandad: sending REP packet:
----
Amanda 2.4 REP HANDLE 001-309F0708 SEQ 1028829247
OPTIONS ;
OK /export/home
OK /usr/local/libexec/runtar executable
OK /usr/local/bin/tar executable
OK /etc/amandates read/writable
OK /usr/local/var/amanda/gnutar-lists/. read/writable
OK /dev/null read/writable
OK /tmp/amanda has more than 64 KB available.
OK /tmp/amanda has more than 64 KB available.
OK /etc has more than 64 KB available.
----
amandad: dgram_send_addr: sendto(TAPE_SERVER_IP_REMOVED.522) failed:
Transport endpoint
is already connected
amandad: dgram_recv: timeout after 10 seconds
amandad: waiting for ack: timeout, retrying
amandad: dgram_send_addr: sendto(IPREMOVED.522) failed: Transport endpoint
is already connected
amandad: dgram_recv: timeout after 10 seconds
amandad: waiting for ack: timeout, retrying
amandad: dgram_send_addr: sendto(IPREMOVED.522) failed: Transport endpoint
is already connected
amandad: dgram_recv: timeout after 10 seconds
amandad: waiting for ack: timeout, retrying
amandad: dgram_send_addr: sendto(IPREMOVED.522) failed: Transport endpoint
is already connected
amandad: dgram_recv: timeout after 10 seconds
amandad: waiting for ack: timeout, retrying
amandad: dgram_send_addr: sendto(TAPEIPREMOVED.522) failed: Transport
endpoint
is already connected
amandad: dgram_recv: timeout after 10 seconds
amandad: waiting for ack: timeout, giving up!
amandad: pid 27042 finish time Thu Aug 8 13:43:45 2002
This is from an amcheck from the tapehost. Other servers check out fine.
I hope that someone can help me out,
Adam Read
LocalNet Corp.
Gene Heskett wrote:
On Thursday 08 August 2002 11:34, Adam D. Read wrote:
Hello,
In an effort to secure our servers, we do not run inetd at all,
instead using tcpserver as a wrapper for our TCP services. Since
amandad is a UDP based service, netcat is the option of choice,
having it exec amandad upon connection(run through daemontools).
This works well on a linux box, but my first solaris box I
started on is giving me trouble. I am running SunOS 5.8 and have
the newest stable amanda and netcat. I tested netcat w/ bash and
it exec'd the shell perfectly through the UDP connection. Is
there a way to test amandad to make sure it is functioning at
all? It exits as soon as anything is sent to it through netcat.
1. That so-called security aspect is why RH converted to xinetd as
that gives quite a bit more control over who can and can't run
these services. They in fact don't run until somebody with
authorization to run them asks for them. They're not even loaded
unless they are still sitting there from the last time.
2. Amanda won't run when launched by a root user. Another security
measure I'm told.
3. So far, since RH7.0, I've had zilch problems running amanda
through the services of xinetd.
So I'd be not terribly worried about some xinetd controlled service
falling into the wrong hands, at least until we've had the first
report that someone used it to gain access they weren't privildged
for. That may have happened, but I'd think this list would be the
first to hear about it and we haven't heard a peep about that.
Now assuming you've compiled amanda so the owner:group is
amanda:disk, this file copied into your /etc/xinetd.d directory as
'amanda', and edited to fix the paths for your situation, should
make it work. These are the default paths FWIW.
-------------------------------------------
# default = off
#
# description: Part of the Amanda server package
# This is the list of daemons & such it needs
service amanda
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = amanda
group = disk
groups = yes
server = /usr/local/libexec/amandad
}
service amandaidx
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = amanda
group = disk
groups = yes
server = /usr/local/libexec/amindexd
}
service amidxtape
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = amanda
group = disk
groups = yes
server = /usr/local/libexec/amidxtaped
}
-----------------------------------------------
Amanda can also use the file /home/her-user-name/.amandahosts as an
additional level of control as to who can run her. See the docs
for setting that up.
|