Hi,
Rob Morin wrote on 18.10.2007 at 08:15:47 [[BackupPC-users] A tar restore
issue, does not work on localhost]:
> So i found this post , i forget where that mentioned to use a tarCreat
> file via sudo to do localhost backups... that works fine but restoring
> does not work, any help appreciated.... All other servers vis rsync
> work just fine....
let me put into a question what I gather from your post you might be asking:
"I'm doing local backups with XferMethod tar via sudo and a helper script.
What do I need to observe when doing restores?"
Well, first of all, you'll also need to use sudo. If the backuppc user
doesn't have sufficient permissions for *reading* the files for backup, he
almost definitely won't have sufficient permissions for *writing* them on
restore.
Second, such helper scripts are a very real security risk. There's just
about no advantage, and it's easy to get things wrong. If the backuppc user
has *write access* to the script, he (or rather an intruder gaining backuppc
user priviledges) has immediate full root access to the system, simply by
putting anything he wants into that script and executing it with 'sudo'.
Even worse, *any other user* with write access to the script (by local or
remote means) can alter it and simply wait for a scheduled backup to be run,
thus executing his commands. With such a script, you *really* need to make
sure that *only root* has write access to it. Even worse, you need to ensure
that command injection is impossible (which it probably isn't). Otherwise an
attacker does not even need write access to the script in order to abuse it.
You can achieve the same as with your unhelpful helper script without the
risks by simply putting this into the sudoers file:
backuppc ALL=NOPASSWD: /bin/tar -c *
That said, the only point of this seems to be to *limit backuppc's access to
reading*, i.e. creating tar files and not extracting tar files. If you want
to allow both backup and restore, it simply becomes
backuppc ALL=NOPASSWD: /bin/tar
True, if you wanted to do more complex things like limit what the backuppc
user is allowed to backup, you'd need a helper script, but you're not doing
that.
So, to sum it up:
1.) add to localhost.pl
$Conf {TarClientRestoreCmd} = '/usr/bin/sudo $tarPath -x -p --numeric-owner
--same-owner -v -f - -C $shareName';
2.) change the sudoers line to
backuppc ALL=NOPASSWD: /bin/tar
3.) be more precise with your spelling ...
> locahost.pl file
> The tarCreat file used
> backuppc ALL = NOPASSWD: /usr/local/bin/tarCreate
One other thing (actually, the part you are currently having problems with
as opposed to what problems would come after you've fixed that, which I have
addressed above):
> Error as seen in the web gui along with the command used
>
> 2007-10-17 16:05:56 Running: /usr/share/backuppc/bin/BackupPC_tarCreate
> -h localhost <http://joe.dido.ca:888/backuppc/index.cgi?host=localhost>
> -n 8 -s / -t -r /home/rob -p /home/rob/ /home/rob/Videotron.txt
> 2007-10-17 16:06:00 Restore failed (BackupPC_tarCreate failed)
it appears you've incorrectly pasted something into somewhere. I *often* see
things people have pasted from the web interface containing HTML markup on
this list. I suppose people are either too lazy to remove it or don't
notice. Perl does. The
"<http://joe.dido.ca:888/backuppc/index.cgi?host=localhost>" does ***not***
belong in that command. I'm not really sure where it came from, but if it's
really in the log file (and thus was in the command) and not just misquoted,
then it's the cause of your problems.
Hope that
> HELP!
s.
Regards,
Holger
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
