On Monday 24 January 2005 13:01, Eric Siegerman wrote:
>On Fri, Jan 21, 2005 at 11:05:23PM -0500, Gene Heskett wrote:
>> Most users are not that priviledged, and should not be. And thats
>> the main justification for a seperate user to run amanda.
>
>Agreed 100%!
>
>"erics" isn't a member of "disk". (Sorry I didn't mention that.
>I agree with the above so fully that the possibility never even
>occurred to me. :-) The reason I mentioned building under my own
>account was to back up my assertion that building as the Amanda
>user, or with any other kind of special privilege, is
>unnecessary.
>
>The build shouldn't need any particular permissions at all,
>since in theory:
> - the build doesn't modify any files outside the build (and
> maybe source) trees
>
> - any user or group ids that get hard-wired at build time are
> taken from the --with-user, --with-owner, or --with-group
> config parameters, not from getuid() or the like
>
>If the above claim is false, i.e. if building Amanda as your
>Amanda user works better for you than building it as a completely
>unprivileged user (given that both builds are installed as root),
>then IMO that's a bug in Amanda. In that case, continuing to
>build as the Amanda user might be a useful workaround, but should
>only remain necessary until the bug gets fixed.
>
>Gene, on your system, if you build Amanda as a vanilla,
>unprivileged user -- not root, not in the "disk" group -- and
>then install it as root, what specifically goes wrong?
>
Pretty good question, Eric. I'll modify my config script to reject
root rather than demand amanda, or something along those lines and
give it a shot. Actually, it now rejects root and tells you to use
the user amanda, but doesn't die if its anything but root.
First, in that directory, chown gene:nobody *
then become gene
./gh.cf
and the build seems to be proceeding normally, but the build will
still be looking for the operator amanda, and group disk, I didn't
change that portion of my script. Its done, become root
and make install, which seemed to be ok, and an ldconfig.
Now become 'amanda' and do an amcheck, which works just fine.
Back out of that and become 'gene' and the permissions are denied, the
user gene, even though he built it, cannot run it.
--------------------
[amanda@coyote amanda-2.4.5b1-20041221]$ amcheck Daily
Amanda Tape Server Host Check
-----------------------------
Holding disk /dumps: 26508 MB disk space available, using 26008 MB
amcheck-server: slot 7: date 20050107 label Dailys-7 (exact label
match)
NOTE: skipping tape-writable test
Tape Dailys-7 label ok
NOTE: info
dir /usr/local/var/amanda/Daily/curinfo/coyote/_usr_dlds-misc_FC3-SRPMS:
does not exist
NOTE: index
dir /usr/local/var/amanda/Daily/index/coyote/_usr_dlds-misc_FC3-SRPMS:
does not exist
Server check took 0.478 seconds
Amanda Backup Client Hosts Check
--------------------------------
Client check: 2 hosts checked in 0.264 seconds, 0 problems found
(brought to you by Amanda 2.4.5b1-20041221)
----------------
[amanda@coyote amanda-2.4.5b1-20041221]$ exit
[root@coyote amanda-2.4.5b1-20041221]# su gene
[gene@coyote amanda-2.4.5b1-20041221]$ amcheck Daily
bash: /usr/local/sbin/amcheck: Permission denied
----------------
So basicly it has to be run by whomever is set in the configuration,
but not by who built it. If I were to change that line in the
configuration, then I'd assume gene could run it, but not amanda.
I'll leave it this way for now & see how it runs tonight.
>--
>
>| | /\
>|
>|-_|/ > Eric Siegerman, Toronto, Ont. erics AT telepres DOT com
>|
>| | /
>
>The animal that coils in a circle is the serpent; that's why so
>many cults and myths of the serpent exist, because it's hard to
>represent the return of the sun by the coiling of a hippopotamus.
> - Umberto Eco, "Foucault's Pendulum"
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.32% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com attorneys please note, additions to this message
by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
|
