Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Configuring RH7.2 Amanda out of the box - error accessing Ama nda hosts file.

2003-05-31 13:39:22
Subject: Re: Configuring RH7.2 Amanda out of the box - error accessing Ama nda hosts file.
From: Gene Heskett <gene.heskett AT verizon DOT net>
To: "Wojciech Jedliczka" <wj AT 3v DOT pl>
Date: Sat, 31 May 2003 13:33:04 -0400 
On Saturday 31 May 2003 06:14, Wojciech Jedliczka wrote:
>----- Original Message -----
From: "Gene Heskett"
>To: "Wojciech Jedliczka"; "Kevin Passey"
>Sent: Saturday, May 31, 2003 11:24 AM
>Subject: Re: Configuring RH7.2 Amanda out of the box - error
> accessing Ama nda hosts file.
>
>> On Saturday 31 May 2003 04:40, Wojciech Jedliczka wrote:
>> >Hi,
>> >
>> >> I thought that once I sent the mail so I added both it now
>> >> looks like
>> >>
>> >> dilmom.as400resource.com amanda
>> >> dilmom amanda
>> >>
>> >> Still no Joy !!
>> >>
>> >> Thanks for your reply anyway.
>> >>
>> >> Regards
>> >>
>> >> Kevin
>> >>
>> >> -----Original Message-----
>> >>
>> >> *snip*
>> >>
>> >> > Amanda Backup Client Hosts Check
>> >> > --------------------------------
>> >> > ERROR: dilmom: [access as amanda not allowed from
>> >> > amanda@dilmom] open of /home/amanda/.amandahosts failed
>> >> > ^^^^^^^^^^^^^
>> >
>> >Check the owner and permisions of  '/home/amanda/.amandahosts' -
>> >should be amanda.disk and 660.
>> >
>> >WJ
>>
>> Nope, 0600.  RTM please.
>>
>> --
>> Cheers, Gene
>
>Gene,
>I always RTFM many times.
>Inside all docs files in amanda distribution is no place
>giving suggestion about .amandahosts permissions.
>Amandahosts file is used for authorization and therefore
>it is important who owns these file and who has access
>to read and write.
>From the security point of view is better to has 600
>than 660 but both are acceptable for me.

You are absolutely correct in that a grep for 0600 in the docs 
directory of the latest image comes back empty. However, its been 
quoted here several times that amanda does check those perms, and 
will reject the file if anyone BUT amanda (and of course root) has 
access rights.

Apparently this is considered a security leak if the software informs 
the user whats wrong so that he can fix it.  From current snapshot, 
common-src/security.c:
------------------------------
security.c:    ptmp = stralloc2(pwptr->pw_dir, "/.amandahosts");
security.c-    if((fPerm = fopen(ptmp, "r")) == NULL) {
security.c-     /*
security.c-      * Put an explanation in the amandad.debug log that
                        will help a
security.c-      * system administrator fix the problem, but don't
                        send a clue
security.c-      * back to the other end to tell them what to fix in 
                        order to
security.c-      * be able to hack our system.
security.c-         */
security.c-     dbprintf(("%s: fopen of %s failed: %s\n",
security.c-               debug_prefix_time(NULL), ptmp, 
                                strerror(errno)));
security.c-     *errstr = vstralloc("[",
security.c-                         "access as ", localuser, " not 
                                        allowed",
security.c-                         " from ", remoteuser, "@", 
                                        remotehost,
security.c-                         "] open of ",
security.c-                         ptmp,
security.c-                         " failed", NULL);
--------------etc---------------
>
>The only one place where you can find a note about
>.amandahost file permissions is www.backupcentral.com/amanda-13.html
>which I am treating as a guide for the Amanda written some day
>in the past.

Unless Dave has updated it, its about 2 years old.  However, I don't 
recall that this particular item has been changed.  But as in all 
things amanda, I'll defer to the authors if they'd like to chime in 
and correct me.

>When I am trying to help someone via list I am usually checking
>my servers settings and not always RTFM. In this case I have
>checked my RH9 Amanda server installed during RH9 automatic
>built. Amandahosts has 660 so that is why I have sent such
>suggestion for Kevin. My second Amanda server built from
>source has .amandahosts 600.

Redhat set incorrect perms on that file in that event, probably so 
that their installer didn't have to become 'amanda' to write it in 
the first place, and one more reason to excise the rpm completely and 
install from a recent tarball.  The tarball unpack, configure, build 
and install is a 4 minute job on recent hardware, but the 
configuration OF the install will take several more hours for the 
gnubee.

There are plenty of folks here who will be glad to help you however. 
:)

>Cheers, Wojtek

-- 
Cheers, Gene
AMD K6-III@500mhz 320M
Athlon1600XP@1400mhz  512M
99.26% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com attornies please note, additions to this message
by Gene Heskett are:
Copyright 2003 by Maurice Eugene Heskett, all rights reserved.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Configuring RH7.2 Amanda out of the box - error accessing Ama nda hosts file., Jon LaBadie
Next by Date:  Re: Failed Backups, Chris Gordon
Previous by Thread:  Re: Configuring RH7.2 Amanda out of the box - error accessing Ama nda hosts file., Jon LaBadie
Next by Thread:  Inanilmaz Fiyatlarla Web Tasarim Kampanyasi ! !, Studio Web Hizmetleri
Indexes:  [Date] [Thread] [Top] [All Lists]