Hi,
Phil Reynolds wrote on 2013-10-19 05:45:51 +0100 [Re: [BackupPC-users]
Parameter for incremental backups on localhost using tarCreate.sh script]:
> On Sat, 19 Oct 2013 01:11:35 +0200
> Holger Parplies <wbppc AT parplies DOT de> wrote:
> > [...]
> > I don't really understand the need of a shell script, though.
> > What, exactly, was the point? It appears tarCreate.sh is adding a
> > '-c' option. Your sudo rule can enforce that just as well (and in a
> > way less prone to creating security holes).
> >
> > backuppc ALL=NOPASSWD: /bin/tar -c *
>
> Hmmm... I'd not thought of that as an option - the documentation I read
> claimed the script was better than merely allowing tar, which it is...
> but my limited experience of sudo meant I wasn't aware of the
> possibility you mention.
re-reading this I feel my suggestion was a bit ambiguous. Just to be clear:
sudo *doesn't add* options to commands it executes, it ensures that the rule
only applies if the options are already there. With the above rule, the
following will ("OK")/will not ("XX") work:
OK> sudo tar -c -v -f /tmp/foo.tar /bar
XX> sudo tar cvf /tmp/foo.tar /bar
XX> sudo tar -v -f /tmp/foo.tar /bar
XX> sudo tar -v -c -f /tmp/foo.tar /bar
XX> sudo tar -cvf /tmp/foo.tar /bar
The second line will fail, because sudo doesn't know that 'c' and '-c' mean
the same to tar. The third, fourth and fifth will fail because the first
argument to tar is not '-c'. Again, sudo doesn't know that '-v -c', '-c -v'
and '-cv' are all equivalent for tar (there could be commands where that's
not the case).
Additionally, the third line wouldn't give a valid tar command line (no
function selected). For all the failing lines, sudo would ask for a password
and then deny access (unless granted by another line in /etc/sudoers).
To sum it up, what you put in /etc/sudoers doesn't *change* what you need to
put in your BackupPC configuration but rather tries to *match* it as closely
as possible and meaningful ('-c' and '-f -' are important, because they
prevent writing to the target system; '-v' and '-C /' don't make any
difference, because they don't limit a potential attacker in what he is able
to do).
So, presuming you have
$Conf{TarClientCmd} = 'sudo $tarPath -c -v -f - -C / --totals';
I'd recommend
backuppc ALL=NOPASSWD: /bin/tar -c -v -f - *
in /etc/sudoers.
> Planning to see what rsync is like as a method once I've perfected tar
> - then I'll go with whichever seems to cause me least bother.
It shouldn't be much difference.
$Conf{RsyncClientCmd} = 'sudo $rsyncPath $argList';
backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender *
(you can add more arguments to that, but I don't think it will improve
security unless you can include the paths you are backing up, and they're at
the end, behind the ex-/includes ...).
As Les has already said, you should note, though, that rsync does more exact
incremental backups. tar might cause you bother when you're not expecting it -
when you need to restore something and don't get an exact snapshot of the
system at the time the backup was taken.
Regards,
Holger
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|
