BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BackupPC-users] first "full" never completes

2011-09-03 17:01:28
Subject: Re: [BackupPC-users] first "full" never completes
From: Holger Parplies <wbppc AT parplies DOT de>
To: hansbkk AT gmail DOT com
Date: Sat, 3 Sep 2011 22:59:28 +0200 
Hi,

hansbkk AT gmail DOT com wrote on 2011-09-03 02:10:55 +0700 [Re: 
[BackupPC-users] first "full" never completes]:
> [...]
> I haven't been able to find in the docs a listing of what the permissions
> are supposed to be, and as a *nix noob, I may very well have screwed things
> up in that area messing around. I believe I set everything from TOPDIR down
> as owned by user backuppc and group www-data.
> 
> I'd appreciate a pointer to how it's supposed to be, and in the meantime
> will try a complete uninstall and re-install (moving my conf and pool data
> elsewhere first) and see how that goes. . .

just to try to (finally) give a definite answer to this question:

    It depends on what policies your BackupPC package has implemented!

Personally, I'd find a choice of group www-data ***stupid***, because it gives
*any web application* running on the server access to your pool data -
possibly including any amount of confidential information. There's a reason
for running the BackupPC_admin CGI setuid, and that's precisely avoiding this
mistake. The BackupPC CGI interface needs access to the pool, the rest of the
web server should *not* be allowed to access it in any way.

The Debian packages I know use a private group also name 'backuppc' and
permissions g=u,g-w (meaning same as user, but without write permission)
and no access for "others". Actually, these permissions would allow using a
different user for the CGI interface, who can browse the backups but has no
write access to the data (though I believe that is not actually done).

Concerning anything BackupPC creates itself, if that is not automatically
created with correct permissions, you've got a problem anyway. You should
*never* need to change permissions or ownership on anything below $TopDir.
If you're copying something, copy it correctly. Unless you know *exactly*
what you are doing, the permissions (and ownership, and timestamps) are
just as much part of the information as the data or the file names. While
it's true that you *can* presumably "fix" things you broke regarding
permissions, while you likely *cannot* fix errors in the data, prefer
avoiding breaking things in the first place. These points are not specific
to BackupPC, they apply as much with any other software's data files.

The only thing, I believe, BackupPC will *not* automatically create is $TopDir
itself. Again, your package is authoritative on what the permissions should
be, and if it gets this wrong, that's a bug.

*For sanity checking only*, $TopDir should be writeable for the user BackupPC
is running as (i.e. "backuppc"), readable and searchable for the CGI user
(usually also "backuppc", but could, in principle, differ) and not accessible
for "others". Ownership and group may be set up in a number of ways to achieve
this, subject to the implementation the package creator has chosen.

*Presuming the package creates all needed subdirectories under $TopDir and
gives them the correct permissions*, and only then, $TopDir might be left
*not* writeable for the BackupPC user, though I'm not sure what the point in
this would be.

Apparently, but this is only a wild guess, the Ubuntu package chooses the
latter option, but incorrectly determines when and how to create the
subdirectories (seems to skip this on reinstallation, even though they don't
exist or have wrong permissions). If this is true, it is a bug in the Ubuntu
package and should be reported to the appropriate BTS.

Assuming you still want to proceed with the Ubuntu package, it *might* help to
*purge* the package ("dpkg --purge backuppc") before re-installing it, but it
really depends on *how* the package comes up with the idea that it was
previously installed. Again, you probably shouldn't be testing with Ubuntu if
you are interested in the CentOS installation procedure.

Regards,
Holger

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BackupPC-users] first "full" never completes, Holger Parplies
Next by Date:  Re: [BackupPC-users] cannot get backuppc to wol a client, Robert E. Wooden
Previous by Thread:  Re: [BackupPC-users] first "full" never completes, Holger Parplies
Next by Thread:  Re: [BackupPC-users] first "full" never completes, Timothy J Massey
Indexes:  [Date] [Thread] [Top] [All Lists]