Hi, Phil Reynolds wrote on 2013-10-19 05:45:51 +0100 [Re: [BackupPC-users] Parameter for incremental backups on localhost using tarCreate.sh script]: > On Sat, 19 Oct 2013 01:11:35 +0200 > Holger Parplies <wb...@parplies.de> wrote: > > [...] > > I don't really understand the need of a shell script, though. > > What, exactly, was the point? It appears tarCreate.sh is adding a > > '-c' option. Your sudo rule can enforce that just as well (and in a > > way less prone to creating security holes). > > > > backuppc ALL=NOPASSWD: /bin/tar -c * > > Hmmm... I'd not thought of that as an option - the documentation I read > claimed the script was better than merely allowing tar, which it is... > but my limited experience of sudo meant I wasn't aware of the > possibility you mention.
re-reading this I feel my suggestion was a bit ambiguous. Just to be clear: sudo *doesn't add* options to commands it executes, it ensures that the rule only applies if the options are already there. With the above rule, the following will ("OK")/will not ("XX") work: OK> sudo tar -c -v -f /tmp/foo.tar /bar XX> sudo tar cvf /tmp/foo.tar /bar XX> sudo tar -v -f /tmp/foo.tar /bar XX> sudo tar -v -c -f /tmp/foo.tar /bar XX> sudo tar -cvf /tmp/foo.tar /bar The second line will fail, because sudo doesn't know that 'c' and '-c' mean the same to tar. The third, fourth and fifth will fail because the first argument to tar is not '-c'. Again, sudo doesn't know that '-v -c', '-c -v' and '-cv' are all equivalent for tar (there could be commands where that's not the case). Additionally, the third line wouldn't give a valid tar command line (no function selected). For all the failing lines, sudo would ask for a password and then deny access (unless granted by another line in /etc/sudoers). To sum it up, what you put in /etc/sudoers doesn't *change* what you need to put in your BackupPC configuration but rather tries to *match* it as closely as possible and meaningful ('-c' and '-f -' are important, because they prevent writing to the target system; '-v' and '-C /' don't make any difference, because they don't limit a potential attacker in what he is able to do). So, presuming you have $Conf{TarClientCmd} = 'sudo $tarPath -c -v -f - -C / --totals'; I'd recommend backuppc ALL=NOPASSWD: /bin/tar -c -v -f - * in /etc/sudoers. > Planning to see what rsync is like as a method once I've perfected tar > - then I'll go with whichever seems to cause me least bother. It shouldn't be much difference. $Conf{RsyncClientCmd} = 'sudo $rsyncPath $argList'; backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender * (you can add more arguments to that, but I don't think it will improve security unless you can include the paths you are backing up, and they're at the end, behind the ex-/includes ...). As Les has already said, you should note, though, that rsync does more exact incremental backups. tar might cause you bother when you're not expecting it - when you need to restore something and don't get an exact snapshot of the system at the time the backup was taken. Regards, Holger ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/