The most difficult part of my BackupPC install was indeed dealing with the suid stuff (followed by reading up on KeyChain and installing that to do automated logins).
In case it's useful, here is what I did for SuSE 9.2 (cut-pasted from my sysadmin notes). Also, I am getting a new backup server, and I'll be going through the install process again soon, so I this is a good opportunity to get any comments on my procedure: if anybody sees any big mistakes with what I did there, I'd be grateful if they were pointed out. ============================= The CGI script needs to run with the backuppc uid, because it needs access to files in the data directory that are owned by the backuppc user. Apache usually runs under user wwwrun, so I chose to install the script so it would run suid to backuppc (this is the standard setup in BackupPC's documentation; see http://backuppc.sourceforge.net/faq/debugCGI.html for details): # chmod u+s /srv/www/cgi-bin/backuppc/BackupPC_Admin # chown backuppc.backuppc /srv/www/cgi-bin/backuppc/BackupPC_Admin Furthermore, the only way I could make the CGI script run was to # chmod u+s /usr/bin/perl Running the script with /usr/bin/suidperl, rather than /usr/bin/perl didn't make any difference (it might work if chmod'ing it to suid, but then what's the point?). Also, after upgrading to SuSE 9.2, the init script complained about wrong user id, even though the startproc command in it says -u backuppc. I worked around this by explicitly setting the suid bit on all scripts in /opt/backuppc/bin: # chmod u+s /opt/backuppc/bin/* I think something about how suid execution is handled has changed from SuSE 9.1 to 9.2. It looks like things have been tightened, but I haven't found info about how to go about this. Make sure to also set correct execute permision for the main configuration file, as well as for all directories above it: if the directories above it don't have the right ownership/permissions, the CGI script won't be able to read the configuration file, even if it itself has the correct permissions. We should evaluate whether these permisions pose an acceptable security risk or not (I think they are OK, but they are a little more lenient than rw-------). ============================== That last part still bothers me though... Bernardo Rechea |--------+------------------------------------------> | | "Rutger" <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | eforge.net | | | | | | | | | 11/16/2005 04:38 AM | | | Please respond to testacc | | | | |--------+------------------------------------------> >-----------------------------------------------------------------------------------------------------------| | | | To: backuppc-users@lists.sourceforge.net | | cc: | | bcc: | | Subject: Re: [BackupPC-users] Re: CGI-error on Debian Sarge Install ( Premature end of | | script headers: index.cgi) | >-----------------------------------------------------------------------------------------------------------| OK, but what's the solution at this moment ? Suid-perl is installed here, Debain automaticly gets what it needs so it was installed. Is this fixable or isn't it at the moment ? Or should I install the testing-verion ? > On Tue, 2005-11-15 at 18:41 -0600, OQ wrote: >> Package: perl-suid (5.8.4-8) >> >> Runs setuid Perl scripts >> >> suidperl is a setuid root helper program which is invoked by perl >> when executing scripts with setuid/gid bits set on systems (like >> linux) which don't have support setuid script execution natively in >> the kernel. >> >> Usage of this program is now strongly deprecated upstream and support >> (along with this package) will probably be removed in 5.10. > > The problem of gaining the correct access rights via a web server will > remain, regardless of if this package is deprecated. Somehow, the > problem will continue to need solving. Some kind of sudo wrapper, > perhaps? > > At this time, in any case, the backuppc package for ubuntu indicates > that suidperl is a required dependency, and it continues to rely on it. > Hopefully, a solution will be built into backuppc in a near term future > release. > > Thanks for the heads-up, I wasn't aware of the issue. > > Regards, > Rich > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/backuppc-users > http://backuppc.sourceforge.net/ > ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/ ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
