On Thu, May 16, 2019 at 16:52:57 -0600, Charles Curley wrote: > * amanda seems to be creating a lot of stuff as amandabackup:disk. Is > that right? Shouldn't it be creating stuff as > amandabackup:amandabackup?
Before amanda packages are installed, I believe a Debian/Ubuntu system starts out with no users in the "disk" group, and the only use of that group is for ownership of block device files (e.g. # ls -l /dev/sda* brw-rw---- 1 root disk 8, 0 May 15 15:17 /dev/sda brw-rw---- 1 root disk 8, 1 May 15 15:17 /dev/sda1 brw-rw---- 1 root disk 8, 2 May 15 15:17 /dev/sda2 brw-rw---- 1 root disk 8, 3 May 15 15:17 /dev/sda3 ) Pages such as https://wiki.debian.org/SystemGroups document the purpose of the "disk" group as "Raw access to disks."... (and in fact warn that putting a user in that group is "Mostly equivalent to root access"). As far as I understand, Amanda needs to use that "disk"-group permission when using the the "dump" backup utility, because "dump" directly reads the source data via the filesystem's block device file. Other backup tools (e.g. tar) do not directly access the block device and don't rely on the "disk" group permissions. On a couple systems I have here running the official Debian Amanda 3.5 packages (and on which I do _not_ use the "dump" program), the Amanda packages don't seem to create any files with "disk"-group ownership. However, the http://wiki.zmanda.com/index.php/Amanda_packages_from_Zmanda_downloads_page page only mentions the "disk" group, and the preinst script uses the "disk" group when creating the amandabackup user, so it's not too surprising that files created by Zmanda-packaged Amanda programs end up with "disk" group ownership.... This does feel like it goes against the usual Debian approach, though I guess having files owned by "disk" isn't really a security risk (given that presumably only the "amandabackup" user is a member of that group anyway)... > An I creating the user correctly? > > adduser --disabled-password amandabackup > adduser amandabackup disk What does "grep amandabackup /etc/passwd /etc/group" show? If I am understanding the source repo correctly, the amanda*.preinst scripts (for the Zmanda packages) include logic to create the amandabackup user with a hard-coded UID of "63998" (and a primary/"initial login" group of "disk"). I guess the scripts won't (re-)create or update the user if you have previously created it, but I am curious to see which definition is actually in effect on your system. Nathan ---------------------------------------------------------------------------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239