On Fri, Aug 04, 2006 at 07:03:39AM -0400, Gene Heskett enlightened us: > This is a frequent problem when using a 'packaged' version of amanda. The > rpm packagers in particular have demonstrated many times that they do not > understand how amanda treats security issues. Amanda's build gives it > enough perms to do the instant job each piece needs to do, and no more. > This is why, when potential users run into these sort of problems, that we > universally recommend that it be built from the tarball, following > amanda's instructions so that the amanda build and install can be done > correctly. >
Not to get off topic, and no offense Gene, but that second sentence is entirely inaccurate. There are several problems with Amanda RPMs which require compromises be made, but not understanding security and how amanda works is definitely *not* one of them. What some of the problems are include: - Inability to know the hostname of the amanda server (or any server for that matter) on the clients network. Since amanda requires these at build time, the only logical compromise is to use localhost - Inability to know what user the software will be built as (if rebuilding a source RPM). There are RPM mechanisms in place that fix that, though not pretty, which set ownership to the appropriate user and permissions. I would argue that the fact these are in there (at least in the RedHat-produced RPMs) counter your point about not understanding the security needs. As always, I consider http://www.math.ohiou.edu/~hyclak/casit/amanda/ a worthwhile read for anyone using an RPM-based system, and recommend that users of Amanda rebuild SRPMs for their environment. Jay has made it easier with the latest Fedora Development RPMs to do that in the future. Respectfully, Matt -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263