Greetings. We recently upgraded one of our Amanda servers to Redhat 7.1
(from Redhat 6.2), and we experienced some difficulties with the backup
after that. In particular, Amanda was suddenly unable to execute "runtar"
on the server itself!. (I.e., it isn't a question of root access to
NFS-mounted file systems, etc.)
This is on a server system which uses NIS as one source of information.
I found a thread on this topic from early this year in the archives for
this list. I didn't find that discussion particularly useful, as it
focused mostly on obvious permission problems, etc. I think the issue is a
little more subtle than that and may relate to a bug in Redhat
software. I'd like to bounce some ideas off of this group to see if
anybody has any additional insight.
The crucial thing about the use of runtar is that it is an suid (root)
program, which allows *group* execution. The idea is to place the amanda
user (which we call amanda) into the group associated with runtar.
[root@server libexec]# pwd
/usr/local/libexec
[root@server libexec]# ls -l runtar
-rwsr-x--- 1 root amanda 99369 Jul 5 18:18 runtar
(Note that the associated group here was originally "adm", rather than
amanda. See discussion below.)
We had placed amanda into two groups, adm and disk. That worked fine under
Redhat 6.2. It doesn't appear to work under Redhat 7.1. The reason for
that is, evidently, that Redhat's NIS implementation does not put group
ID's lower than MINGID=500 into the NIS maps. (See /var/yp/Makefile) For
instance:
[root@server libexec]# groups amanda
amanda : amanda adm disk
[root@server libexec]# ypcat -k group | grep amanda
amanda amanda:x:656:amanda
Putting amanda into a "non-privileged" group (also called amanda) and
associating that group with runtar appears to have solved our problem.
But I still don't understand why this issue arose in the first place. Our
nsswitch.conf file calls for local files to be searched before the NIS maps
are consulted for group information:
[root@server /etc]# grep group nsswitch.conf
#group: db files nisplus nis
group: files nis
netgroup: files nis
Recall that this is all happening on one system, the server system. Why
isn't /etc/group consulted, thereby showing amanda's membership in the adm
group? Note that /etc is browseable by everybody and /etc/group is world
readable.
Thanks.
- Mike
==========
Michael Hannon mailto:[EMAIL PROTECTED]
Dept. of Physics 530.752.4966
University of California 530.752.4717 FAX
Davis, CA 95616-8677
