I've successfully patched the amindexd.c file of v2.4.4 to obtain my goal.
I've seen that in your original code you have left this:
#if 0
/* only let a client restore itself for now unless it is the server */
if (strcasecmp(remote_hostname, local_hostname) == 0)
return 0;
if (strcasecmp(remote_hostname, host) != 0)
{
reply(501,
"You don't have the necessary permissions to set dump host to
%s.",
buf1);
return -1;
}
#endif
didn't you remember about this?
This piece of code makes what I need.
Obviously the security implemented in this way is too weak but it is only a
matter of HOW to do it better.
I'll post a patch when I've finished the "more secure" authentication
method.
Bye
Stefano Coletta
http://www.mindcreations.com
> -----Messaggio originale-----
> Da: owner-amanda-users AT amanda DOT org
> [mailto:owner-amanda-users AT amanda DOT org] Per conto di
> Jean-Louis Martineau
> Inviato: mercoledì 30 aprile 2003 15.58
> A: Creator
> Cc: amanda-users AT amanda DOT org
> Oggetto: Re: R: R: Access restriction in amrecover
>
>
> On Tue, Apr 29, 2003 at 03:51:57PM +0200, Creator wrote:
> > I'm sorry Jean-Louis but it is not clear to me how to
> implement your
> > suggestion.
>
> I didn't say that it's possible to do it now with amanda, you
> will have to patch amanda if you want this feature.
>
> > Please, can you provide a configuration example?
>
> Add an entry 'restore_host' in a dumptype that list the host
> that can restore this DLE.
>
> eg. restore_host hosta.domain.com hostb.domain.com
>
> You will have to patch amindexd and amidxtaped to use and
> enforce the restore_host option, the default is that all host
> can restore a DLE.
>
> I see one big problem with that, if a customer start a
> recovery just before your amdump start, your amdump will not
> be able to use the drive, all dump will go to holding disk.
>
> Jean-Louis
> >
> > > -----Messaggio originale-----
> > > Da: Jean-Louis Martineau [mailto:martinea AT IRO.UMontreal DOT CA]
> > > Inviato: giovedì 24 aprile 2003 20.21
> > > A: Creator
> > > Cc: amanda-users AT amanda DOT org
> > > Oggetto: Re: R: Access restriction in amrecover
> > >
> > >
> > > On Thu, Apr 24, 2003 at 08:59:38AM +0200, Creator wrote:
> > > > I think it may be achieved using server-side
> authentication so no
> > > > matter which user you are running amrecover from the client.
> > > >
> > > > Without proper authentication I'm forced to close the firewall
> > > > port
> > > > 80012 to deny access to the index daemon. It is the only
> > > way I have to
> > > > limit customers from restoring other people backups.
> > > >
> > > > In this case I'm forced to do the restores for them wasting my
> > > > time.
> > > > 1) I have to extract their data somewhere
> > > > 2) I have to give them access to it to let them browse
> their files
> > > > Result: no handy selective restore procedure :(
> > > >
> > > > In the way I've proposed (like: customer can access only
> > > his data) I
> > > > can simply mount the tape on the tapechanger and let the
> > > customer do
> > > > their restore comfortably using amrecover.
> > > >
> > > > I'm going to have a bad shape if I cannot work around
> this limit.
> > >
> > > It could be done easily, add a dumptype entry 'restore_host'
> > > which list the hostname (or ip) that can restore the DLE. The
> > > amindexd an amidxtaped daemon will have to check the
> > > connecting host with the host listed in restore_host for this DLE.
> > >
> > > Jean-Louis
> > > --
> > > Jean-Louis Martineau email:
> martineau AT IRO.UMontreal DOT CA
> > > Departement IRO, Universite de Montreal
> > > C.P. 6128, Succ. CENTRE-VILLE Tel: (514) 343-6111 ext. 3529
> > > Montreal, Canada, H3C 3J7 Fax: (514) 343-5834
> > >
> >
>
> --
> Jean-Louis Martineau email: martineau AT IRO.UMontreal DOT CA
> Departement IRO, Universite de Montreal
> C.P. 6128, Succ. CENTRE-VILLE Tel: (514) 343-6111 ext. 3529
> Montreal, Canada, H3C 3J7 Fax: (514) 343-5834
>
|