Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to build a user-driven restore interface for Amanda...

2003-05-22 11:04:23
Subject: Re: How to build a user-driven restore interface for Amanda...
From: Jon LaBadie <jon AT jgcomp DOT com>
To: amanda-users AT amanda DOT org
Date: Thu, 22 May 2003 11:02:28 -0400 
On Thu, May 22, 2003 at 08:00:10PM +0930, Richard Russell wrote:
> Hi all (and sorry for the cross-posting, but I think it's relevant to
> both lists),
> 
  ...
> 
> The Problem: amrecover is a text-driven interface that requires
> systems-type skills to select which files to restore. However, the
> process of selecting which files to restore, at least in the context of
> user home directories should be one that the user controls. There is
> nothing intrinsic about this process that should require sysadmin
> intervention, apart from manual tape changing, where that is neccessary.
> 
> The Solution: A tool that allows people to select the files to be
> restored, while requiring them to know nothing but the location of the
> relevant files within their home directory, and the date to restore from
> (both of which should be browseable).
> 
  ...
> 
> Anyway, what do people think of this idea? Any volunteers? Anyone spot
> any glaring problems? Is there anything else I should attempt to think
> through?


One major problem that I see, and one that I think would cause me to not
implement this on my systems, is security.  amrecover/amrestore are restricted
to the root user for a reason.  Ordinary users are not allowed access to some
files.  They are not even allowed to view the names of files in some 
directories.
Yet your scheme would allow users to browse the backup indicies and even 
perhaps,
recover files they should have access to?

As currently implemented (and I don't see this changing) the only place the
access rights to dirs and files is stored is in the dumps themselves, on tape.
So if you wanted to properly restrict your user interface, you would have to
read all the tapes.  Even doing that, suppose there was a DLE of /a/b/c/foo.
All the info on the tape would be from "foo" down.  How would you know if
something in the path /a/b/c might not restrict the users access to foo?

Your interface might restrict a user to recovering things only under their
home directory.  But surely in this vast unix-land there are user home directory
trees that have inaccessible regions.

jl
-- 
Jon H. LaBadie                  jon AT jgcomp DOT com
 JG Computing
 4455 Province Line Road        (609) 252-0159
 Princeton, NJ  08540-4322      (609) 683-7220 (fax)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: time to go in amstatus, Joshua Baker-LePain
Next by Date:  Re: How to build a user-driven restore interface for Amanda... -- typo, Jon LaBadie
Previous by Thread:  How to build a user-driven restore interface for Amanda..., Richard Russell
Next by Thread:  Re: How to build a user-driven restore interface for Amanda... -- typo, Jon LaBadie
Indexes:  [Date] [Thread] [Top] [All Lists]