|
|
|
|
This is a simplified, step-by-step guide for installing BackupPC, and configuring the correct userIDs and permissions necessary to run the BackupPC CGI admin tool on SuSE Linux 10.0 with Apache2. One other significant topic covered is the use of mod-suexec and virtual hosts in place of using sperl with setuid. This appears to be the easiest way to do it in SuSE.
I hope parts of this document will be helpful to all Linux users. However, it was specifically tested for SuSE 10.0 or OpenSuSE 10.0 using Apache2.
This document assumes the following:
Install RsyncP from http://www.cpan.org
tar xzvf File-RsyncP-X.XX.tar.gz cd File-RsyncP-X.XX perl Makefile.PL make make test sudo make install
You can install the other two Perl Modules through the YaST Software Management tool
Create a backuppc user and backuppc group in YaST User Management tool
Create backuppc as a "System User" Make uid greater than 100 for suexec to work Set user's default group to backuppc Set user dir to something like /var/lib/backuppc shell = /bin/bash create home files = false If desired, you can add your own .bashrc to /var/lib/backuppc
These are the steps to configure Apache for the BackupPC installation.
Enable Apache through the YaST HTTP Server configuration tool. Enable the HTTP Service to start on boot.
Enable Apache Mod Suexec through YaST
Sperl is not included in the SuSE Apache2 distribution mainly for security reasons. An easier alternative is using the Apache Suexec module, which is included with Apache2 for SuSE. Documentation can be found here: http://httpd.apache.org/docs/2.0/suexec.html
You can enable the suexec (mod-suexec) apache module in YaST:
HTTP Server Configuration > Modules
Now add the SuexecUserGroup directive to your apache configuration. This can be done a few ways:
If you have a dedicated Apache instance, you can simply add the SuexecUserGroup directive to /etc/apache2/default-server.conf file:
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/" SuexecUserGroup backuppc backuppc
For suexec to work, the cgi-bin directory also needs to be writable by the backuppc user.
Note:
The main limitation with this setup is that suexec will cause any other CGI programs in this instance of Apache to try running as user backuppc and group backuppc, which may interfere with other applications.
If you really have a dedicated server, or you have the determination to run a second Apache instance, you may want to consider using the Mod_Perl Option instead. I should mention however that SuSE does not like to run it's Apache distribution as any other user than wwwrun, which becomes a problem with the Mod_Perl setup.
If common sense does not phase you, and you still feel this option is for you; feel free to skip ahead to the Create Apache Users section. Otherwise, if you came here to setup a shared server, and you aren't going to be happy until that's what you have, then read on...
A more robust way is to create a new VirtualHost just for your BackupPC server. This will allow you to maintain just one Apache instance and selectivley add the SuexecUserGroup directive to just the VirtualHost that BackupPC is configured on. The setup is a little more complex, but worth it. See Apache's VirtualHost documentation to become more familiar:
http://httpd.apache.org/docs/2.0/vhosts/
There are two ways you can setup your VirtualHost in Apache:
This is necessary if your BackupPC server has only one network adapter, and therefore just one IP address. First, you will need to add a new NameVirtualHost directive in /etc/apache2/listen.conf by uncommenting the following line:
NameVirtualHost *:80
Now configure the new VirtualHost by adding a new configuration file to your /etc/apache2/vhosts.d directory. I have included namevhost1-backuppc.conf as a starting point. Just drop it into the vhosts.d directory. No need to rename the file, but you should customize the ServerAlias directive.
When you add a Name-Based VirtualHost to an existing web server, you must also create a default <VirtualHost> block in order to access the existing server. The ServerName and DocumentRoot included in this virtual host should be the same as the global ServerName and DocumentRoot. See http://httpd.apache.org/docs/2.0/vhosts/name-based.html for more details.
For convenience, I have also included a sample namevhost0-default.conf file to add to your vhosts.d directory. This will automatically give you a default virtual host configuration. Just drop it into the vhosts.d directory with the other config file. No need to rename the file, but you need to customize the ServerName directive.
Assuming your BackupPC server already has a DNS A name associated with it, you will need to configure your network so that the host-name backuppc also points to the same IP address. This can be done on your DNS server using a CNAME alias (or as an extra entry in all your hosts files).If you have an extra network card configured on the server, consider yourself lucky. Simply add it as a second Listen address in /etc/apache2/listen.conf (Or in YaST through Http Server Configuration > Listen)
Listen 10.0.0.10:80 Listen 10.0.0.11:80
Now configure the new VirtualHost by adding the a new configuration file to your /etc/apache2/vhosts.d directory. I have included ipvhost-backuppc.conf as starting point. Just drop it into the vhosts.d directory. No need to rename the file, but you will need to customize your VirtualHost IP address to match:
<VirtualHost 10.0.0.11:80>
Also, configure your network so that backuppc points to the the IP address of the second ethernet adapter. This can be done on your DNS server using an A name translation (or as an entry in all your hosts files). The IP address also needs to match the VirtualHost IP address in ipvhost-backuppc.conf.
This step if for both Name-Based and IP-Based virtual Host setups. You will need to create a cgi-bin subdirectory for installing the BackupPC_Admin CGI script.
su - mkdir -p /srv/www/vhosts/backuppc/cgi-bin chmod 755 /srv/www/vhosts/backuppc/cgi-bin chown backuppc:backuppc /srv/www/vhosts/backuppc/cgi-bin
Now create users in apache that correspond to your BackupPC conf/hosts file:
su - mkdir /etc/apache2/htpasswds chown root:www /etc/apache2/htpasswds chmod 750 /etc/apache2/htpasswds touch /etc/apache2/htpasswds/backuppc_passwdfile chown root:www /etc/apache2/htpasswds/backuppc_passwdfile chmod 640 /etc/apache2/htpasswds/backuppc_passwdfile htpasswd2 /etc/apache2/htpasswds/backuppc_passwdfile peter
If you chose the dedicated server option, and are therefore not using any of the included VirtualHost config files, you will need to manually add the following 4 lines to your Apache cgi-bin Directory section in /etc/apache2/default-server.config
<Directory "/srv/www/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all AuthName "BackupPC Admin" AuthType Basic AuthUserFile /etc/apache2/htpasswds/backuppc_passwd Require valid-user </Directory>
Restart Apache for all configuration changes to take effect
apache2ctrl restart
Download BackupPC and any patch files here.
Unzip the BackupPC distribution
tar xzvf BackupPC-2.1.2.tar.gz cd BackupPC-2.1.2
Install any patches
patch -p0 < ../BackupPC-2.1.2pl1.diff
Run the BackupPC installation script
sudo perl configure.pl
Here are some sample installations that should work well for SuSE...
Sample install for dedicated (non VirtualHost) backuppc server:
--> Full path to existing conf/config.pl []?
--> Are these paths correct? [y]? y
--> BackupPC will run on host [hostname]?
--> BackupPC should run as user [backuppc]?
--> Install directory (full path) []? /opt/BackupPC
--> Data directory (full path) []? /backup
--> Compression level [3]?
--> CGI bin directory (full path) []? /srv/www/cgi-bin/backuppc
--> Apache image directory (full path) []? /srv/www/htdocs/backuppc
--> URL for image directory (omit http://host; starts with '/') []? /backuppc
--> Do you want to continue? [y]? y
Sample install using VirtualHost or NameVirtualHost backuppc server:
--> Full path to existing conf/config.pl []?
--> Are these paths correct? [y]? y
--> BackupPC will run on host [hostname]? backuppc !!! Use virtual host name !!!
--> BackupPC should run as user [backuppc]?
--> Install directory (full path) []? /opt/BackupPC
--> Data directory (full path) []? /backup
--> Compression level [3]?
--> CGI bin directory (full path) []? /srv/www/vhosts/backuppc/cgi-bin
--> Apache image directory (full path) []? /srv/www/vhosts/backuppc/images
--> URL for image directory (omit http://host; starts with '/') []? /images
--> Do you want to continue? [y]? y
Set permissions of Admin CGI file (must be 750 and no setuid!)
su - chmod 750 /srv/www/vhosts/backuppc/cgi-bin/BackupPC_Admin
Install backuppc service
cd [build-dir]/init.d cp suse-backuppc /etc/init.d/backuppc chmod 744 /etc/init.d/backuppc chkconfig backuppc 345 chkconfig --list backuppc
Start backuppc service
Once you have modified your config files, you are ready to start the backuppc service.
/etc/init.d/backuppc start
Now it's time to test that everything is working properly. Assuming the backuppc service started correctly, you should now be able to access the CGI Admin tool in your web browser.
For a dedicated (non VirtualHost) backuppc server, you should access the CGI script through the actual host name or IP address of the server:
http://hostname/cgi-bin/BackupPC_Admin
For a VirtualHost configured backuppc server, you access the CGI script by the virtual host name:
http://backuppc/cgi-bin/BackupPC_Admin
Also Note: When using the VirtualHost configuration, you should not be able to access the BackupPC_Admin script when using the real host name of the server. This tells you that the VirtualHost has indeed been setup properly.