On Monday 27 May 2019 02:16:12 am Nathan Stratton Treadway wrote:
> On Mon, May 27, 2019 at 00:59:53 -0400, Gene Heskett wrote:
> > I figured the debs were using backup it was a good idea, just
> > because it adds another layer of security by having to look up group
> > to find backup is a member of the disk group. But theres so many
> > places to change that
>
> Your User/Group info, copied from your other message:
> =====
> root@coyote:amanda$ grep amanda /etc/passwd
> amanda:x:1001:1001:xxxxxxxx,0,,:/home/amanda:/bin/bash
>
> root@coyote:amanda$ grep amanda /etc/group
> mail:x:8:gene,amanda
> amanda:x:1001:backup
>
> root@coyote:amanda$ grep backup /etc/group
> disk:x:6:gene,backup
> backup:x:34:
> amanda:x:1001:backup
>
> root@coyote:amanda$ grep backup /etc/passwd
> backup:x:34:34:backup:/var/backups:/bin/bash
> ======
>
> So... groups can't be members of groups in Unix; what you have right
> now is the _user_ "backup" as a member of the "disk" group (which
> doesn't matter at all to Amanda on your system)... and the user
> "amanda" is _not_ a member of "disk", which is why you are having
> permission problems trying to run the executables.
>
> So, trying to make the "backup" group a member of the "disk" group
> doesn't work... but you can achieve added security if you actually
> avoiding the use of the "disk" group entirely. Amanda used to need to
> be a member of that group in order to run the "dump" utility, but now
> under Linux a setuid "rundump" program can used instead (and you don't
> use "dump" anyway -- even more reason you don't need "disk"
> membership).
>
>
> But if you do want to go down that road right now, you need to change
> your gh.cf script so that it has "--with-group=backup" in place of the
> current "--with-group=disk" line.
>
> Your most recent error message (copied from your post in the other
> thread) says:
> ======
> ERROR: program /usr/local/libexec/amanda/ambind: wrong permission,
> must be 'rwsr-x---' But that is what it almost is:
> -rwsr-x--x 1 root disk 26840 May 26 21:59
> /usr/local/libexec/amanda/ambind It won't get past that point for
> anything if that final x isn't there ======
>
> When you run the configure using --with-group=backup, that will cause
> the Amanda install process to use "backup" as the group owner of those
> binaries, thus allowing your Amanda user to execute them.
>
> (Note that those setuid binaries MUST NOT BE executable by "other"; as
> you can see, Amanda won't allow the programs to run if they are,
> because otherwise any user on the system could execute them and obtain
> root privileges.... But if you re-build Amanda now, it should install
> the newly-build copies with all that corrected.)
>
>
> Nathan
>
ok, I've fixed my script to use group backup and its rebuilding now. I've
alsa taken amanda out of group. So there should not be any aliases
getting in the way. And while the build is running, my coffee is both
old and cold, so go make some fresh. I'm surprised the missus hasn't
barked for some more.
hummm, it still installed a new amanda-security.conf file one directory
deeper than was specced in gh.cf. Moved it, but who is supposed to
own:group it. I moved it with a root session of mc, and it was root:root
after the move.
first pass at amcheck, no perms in /tmp, looking, both amanda and
amanda-dbg belonged to gene, so they got chown'd -R to amanda:backup
next pass at amcheck Daily got this:
manda@coyote:/root$ /usr/local/sbin/amcheck Daily
Amanda Tape Server Host Check
-----------------------------
ERROR: program /usr/local/libexec/amanda/ambind: not executable
NOTE: Holding disk '/usr/dumps': 1477644 MB disk space available, using
1477144 MB
slot 1: volume 'Dailys-1'
Will write to volume 'Dailys-1' in slot 1.
NOTE: skipping tape-writable test
NOTE: conf info dir '/usr/local/var/amanda/Daily/curinfo' does not exist
it will be created on the next run
NOTE: index dir '/usr/local/var/amanda/Daily/index' does not exist
it will be created on the next run
Server check took 1.098 seconds
Amanda Backup Client Hosts Check
--------------------------------
ERROR: lathe: selfcheck request failed: amcheck-clients: error
[exec /usr/local/libexec/amanda/ambind: Permission denied]
ERROR: picnc: selfcheck request failed: amcheck-clients: error
[exec /usr/local/libexec/amanda/ambind: Permission denied]
ERROR: GO704: selfcheck request failed: amcheck-clients: error
[exec /usr/local/libexec/amanda/ambind: Permission denied]
ERROR: coyote: selfcheck request failed: amcheck-clients: error
[exec /usr/local/libexec/amanda/ambind: Permission denied]
ERROR: shop: selfcheck request failed: amcheck-clients: error
[exec /usr/local/libexec/amanda/ambind: Permission denied]
Client check: 5 hosts checked in 13.260 seconds. 5 problems found.
(brought to you by Amanda 3.5.1.git.19364c7b)
amanda@coyote:/root$ ls -l /usr/local/libexec/amanda/ambind
-rwsr-x--- 1 root backup 26840 May 27
11:11 /usr/local/libexec/amanda/ambind
Is that correct? If wrong for owner root, whats the fix, which we'll need
to do to calcsize, runtar and rundump. An ls -l of the whole dir looks
wrong to me:
amanda@coyote:/root$ ls -l /usr/local/libexec/amanda/
total 3008
-rwxr-xr-x 1 root staff 6674 May 27 11:11 amadmin_perl
-rwxr-xr-x 1 root staff 125680 May 27 11:11 amandad
-rw-r--r-- 1 root staff 967 May 27 11:11 amanda-sh-lib.sh
-rwxr-xr-x 1 root staff 40826 May 27 11:11 ambackupd
-rwsr-x--- 1 root backup 26840 May 27 11:11 ambind
-rw-r--r-- 1 root staff 180 May 27 11:11 amcat.awk
-rwxr-xr-x 1 root staff 11604 May 27 11:11 amcheck-device
-rwxr-xr-x 1 root staff 10234 May 27 11:11 amdumpd
-rwxr-xr-x 1 root staff 3795 May 27 11:11 amidxtaped
-rwxr-xr-x 1 root staff 181080 May 27 11:11 amindexd
-rwxr-xr-x 1 root staff 2439 May 27 11:11 amlogroll
-rwxr-xr-x 1 root staff 436952 May 27 11:11 amndmjob
-rw-r--r-- 1 root staff 20523 May 27 11:11 amplot.awk
-rw-r--r-- 1 root staff 3400 May 27 11:11 amplot.g
-rw-r--r-- 1 root staff 3410 May 27 11:11 amplot.gp
-rwxr-xr-x 1 root staff 97104 May 27 11:11 amtrmidx
-rwxr-xr-x 1 root staff 48152 May 27 11:11 amtrmlog
drwxr-sr-x 2 root staff 4096 May 27 11:11 application
-rwsr-x--- 1 root backup 56904 May 27 11:11 calcsize
-rwxr-xr-x 1 root staff 2663 May 27 11:11 chunker
-rwxr-xr-x 1 root staff 310280 May 27 11:11 driver
-rwxr-xr-x 1 root staff 193872 May 27 11:11 dumper
-rwsr-x--- 1 root backup 34120 May 27 11:11 killpgrp
-rwxr-xr-x 1 root staff 448544 May 27 11:11 ndmjob
-rwxr-xr-x 1 root staff 31240 May 27 11:11 noop
-rwxr-xr-x 1 root staff 5043 May 27 11:11 patch-system
-rwxr-xr-x 1 root staff 224656 May 27 11:11 planner
-rwxr-xr-x 1 root staff 1547 May 27 11:11 restore
drwxr-sr-x 8 root staff 4096 May 27 11:11 rest-server
-rwsr-x--- 1 root backup 30536 May 27 11:11 rundump
-rwsr-x--- 1 root backup 41592 May 27 11:11 runtar
-rwxr-xr-x 1 root staff 135544 May 27 11:11 selfcheck
-rwxr-xr-x 1 root staff 205032 May 27 11:11 sendbackup
-rwxr-xr-x 1 root staff 61704 May 27 11:11 senddiscover
-rwxr-xr-x 1 root staff 172072 May 27 11:11 sendsize
-rwxr-xr-x 1 root staff 2909 May 27 11:11 taper
-rwxr-xr-x 1 root staff 23136 May 27 11:11 teecount
I just mounted and checked the wheezy drive. It has disk for group backup
above but looks the same otherwise. And it worked for half a decade
So I did another install, the the amanda-security.conf was owned by
root:root, so I unfixed the other one. That did not change the ambind
error x5 recorded above. group file error now? I'm burned out...
This is /etc/group now
amanda@coyote:/root$ grep amanda /etc/group
mail:x:8:gene,amanda
amanda:x:1001:
amanda@coyote:/root$ grep backup /etc/group
backup:x:34:
Thanks Nathan.
>
> ----------------------------------------------------------------------
>------ Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic
> region Ray Ontko & Co. - Software consulting services -
> http://www.ontko.com/ GPG Key:
> http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key
> fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239
Copyright 2019 by Maurice E. Heskett
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
