On Thu, May 20, 2004 at 04:47:32PM -0400, Gene Heskett wrote:
> On Thursday 20 May 2004 14:10, Steven Schoch wrote:
> > The client (named "marge") is
> > running FreeBSD 4.7, running amanda 2.4.4p2 compiled from source
> >
> >./configure --without-server --with-group=amanda --with-user=amanda
> >--with-amandahosts
> 
> This is the wrong group

Agreed.  For our FreeBSD systems it's group "operator".


> the group may be bin, backup or disk, but it 
> should have essentially root rights to the system.

I strongly disagree!  Maybe "backup" or "disk", depending on the
box, but NOT "bin" (I posted on this a couple of days ago), and
NOT "essentially root rights".

The only special privilege the Amanda client needs is to read
data off the disks.  Precisely what privilege that consists of
depends on the circumstances:
  - For gtar, you need root.  More specifically, gtar itself
    needs root, but the rest of the Amanda process tree doesn't.
    Amanda provides the runtar wrapper program, which is
    installed setuid root, to give gtar the privilege it needs.
    Thus, Amanda can run under any user+group combination at all.

    Safety suggests creating a user and group specifically for
    Amanda, especially because that's the best way to keep
    ordinary users from being able to use runtar for their own
    nefarious purposes (this works because runtar is installed
    as:
        -rwsr-x---    1 root     XXX         36615 Jun 25  2003 runtar
    where XXX is the group specified to "--with-group", i.e.
    without world execute permission).

    On the system where we use gtar, I made the obvious choice:
    "--with-group=amanda".

  - On some systems, dump (or the local equivalent -- ufsdump,
    vfxdump, or whatever) also needs root.  But again, Amanda
    provides a setuid-root wrapper, rundump, to accomplish that,
    so all of the above applies to this case too.  (rundump is
    only installed on systems whose dump requires it, or you can
    force the issue by passing "--with-rundump" to configure.)

  - On other systems, including FreeBSD, all dump needs is read
    (but NOT write) permission on the disk-device special files.
    One of these, chosen at random from one of our FreeBSD boxen,
    looks like this:
        crw-r-----  2 root  operator  116,  27 Apr 28  2003 /dev/rad3d
    Thus, building Amanda with "--with-group=operator" is all
    that's needed.  On this box, the "operator" group doesn't
    have access to very much else at all.  If it had, I'd
    probably have created a new group for Amanda and chgrp'ed the
    special files in question.

    On our Solaris boxes, the group with read-only access to the
    disk special files is "sys".  So that's what I built Amanda
    with for Solaris.  To be honest, I no longer remember whether
    either Solaris or FreeBSD sets up disk-device special files
    this way "out of the box", or whether I did it myself.


> A gid <=10 is 
> desireable.

This doesn't seem relevent one way or the other.  No gid's have
any special privilege as far as the kernel is concerned.  (And
even for uid's, <=10 has no significance -- only ==0 is magic.)

--

|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.        erics AT telepres DOT com
|  |  /
It must be said that they would have sounded better if the singer
wouldn't throw his fellow band members to the ground and toss the
drum kit around during songs.
        - Patrick Lenneau