On Thu, May 20, 2004 at 12:57:08AM +0000, Lars Kellogg-Stedman wrote:
> I'm following up on an issue that was posted to this list back in
> January:
> 
> > JLM pointed out another thing I did not know.  amcheck does not consider
> > it an error for the file to not exist, it is listed as "optional".  But
> > amcheck does consider it an error if the file has the wrong permissions
> > or if it is unable to determine if it exists.
> 
> I'm running into exactly this problem.  In my dumptypes file, I have:
> 
>   exclude list optional ".amanda.exclude"
> 
> In my disklist file, I'm backing up individual home directories:
> 
>   arcadia /export/home/lars       comp-user-tar
> 
> Permissions on this directory are 750, so amcheck is failing:
> 
>   ERROR: backuphost: [Can't open exclude file
>   '/export/home/lars/.amanda.exclude': Permission denied]
> 
> Of course, amcheck (and amandad) are running as user 'amanda' when running
> this check, while the backup itself is performed as root (since the
> 'runtar' command is SUID root)
> 
...
> I'm hesitant to make things globally readable just to make Amanda work, so
> I've worked around the problem on my Linux system using ACLs:
> 
>   setfacl -m u:amanda:rwx /export/home/*

Nice approach.

Another approach, if ACL's are unavailable or ?overkill?,
would be to give the directory world execute permission (751).
Then a process could access a specific file if it "knows its name"
but searchs like "ls" or "cat *" would not work because
read permission was denied.

-- 
Jon H. LaBadie                  jon AT jgcomp DOT com
 JG Computing
 4455 Province Line Road        (609) 252-0159
 Princeton, NJ  08540-4322      (609) 683-7220 (fax)