Re: Mounting FS read-only for specific user (or root)
Mel wrote: On Thursday 21 February 2008 20:32:37 Andrew Bradford wrote: Erik Norgaard escribió: I assume the reasoning for this is you want to preserve permissions and attributes on your backup, so you can't solve this simply by setting permissions appropriately. Yes, exactly. Users need to be able to see their own backups, and nobody else's. Isn't this what acl's are for? See setfacl(8). I haven't looked into it in great detail but seems to me that if you make a subdir owned by the user for each backup root for that user and set the acl to only be accessible by user, it should work. After playing around with this for a bit, I took Erik's suggestion of mounting the backup directory rw in a root-specific area. I didn't think it would work, but my understanding of the permission structure in UNIX is flawed, and it does work :) The setup, for those interested, is as follows: disk2 mounted read-write in /root/.backup /root/.backup mounted using nullfs read-only in /backups drwx-- root wheel /root drwxr-xr-x root wheel /root/.backup drwxr-xr-x root wheel /backups This way, the permissions on /root prevents normal users from writing to the backup mount underneath it, even though they may own files and have write permissions on those files. The permissions of the mount point allow users to view the contents and restore files, but not write to it because the nullfs mount (/backups) is read-only. General users are unable to write to the read-write mount point (/root/.backup) because the permission of the parent directory (/root) is 700. This allows the backup process to write to the backup filesystem, yet still prevents normal users from writing to it. I think this setup could be improved as I'm simply relying on file permissions to keep the backup filesystem read-only for normal users. The problem is not having the ability to mount a filesystem read-write for a specific user -- regardless of the permissions of files on that filesystem. Thanks Erik and Mel for the help with this! Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mounting FS read-only for specific user (or root)
Mel escribió: On Thursday 21 February 2008 20:32:37 Andrew Bradford wrote: Erik Norgaard escribió: I assume the reasoning for this is you want to preserve permissions and attributes on your backup, so you can't solve this simply by setting permissions appropriately. Yes, exactly. Users need to be able to see their own backups, and nobody else's. Isn't this what acl's are for? See setfacl(8). I haven't looked into it in great detail but seems to me that if you make a subdir owned by the user for each backup root for that user and set the acl to only be accessible by user, it should work. I can't test it on my system at the moment, but wouldn't acls make the files writable for general users? The backup filesystem needs to be mounted read-write for root only, and read-only for general users, yet maintain ownership and permissions. Is it possible to use acls to revoke normal UNIX permissions on a directory hierarchy? I.e. use acls to limit users from writing to the read-write backup filesystem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mounting FS read-only for specific user (or root)
Erik Norgaard escribió: Andrew Bradford wrote: I'm trying to set up a mounted filesystem that is read-write for root, but read-only for anyone else. It will be mounted as a backup directory, so files listed in that directory will be owned by current users on the system but can't be writeable, regardless of the file permissions. hd2 mounted rw in /root/backup-rw hd2 mounted ro in /backups Is this possible? Have you tried? ;) Yes, and it seems to almost work (but not quite). I can set the mount point to have 700 permissions, which excludes everyone from accessing the mounted filesystem but root. If I then mount it again using nullfs, it inherits the permissions of the original mountpoint, and is unreadable by everyone. I assume the reasoning for this is you want to preserve permissions and attributes on your backup, so you can't solve this simply by setting permissions appropriately. Yes, exactly. Users need to be able to see their own backups, and nobody else's. But then, do users need frequent access to their backup? Then you could simply mount it on a mount point which only has root access. It would be preferable to not require root access to restore backups. Looks like nullfs isn't the answer. How hard would it be to write a nullfs-clone that allowed different permissions on the destination mount point than the source mount point? Cheers, Erik Thanks, Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Mounting FS read-only for specific user (or root)
Hi all, I'm trying to set up a mounted filesystem that is read-write for root, but read-only for anyone else. It will be mounted as a backup directory, so files listed in that directory will be owned by current users on the system but can't be writeable, regardless of the file permissions. Example hd2 mounted rw in /root/backup-rw hd2 mounted ro in /backups Only root should be able to write to anything under /root/backup-rw/ even though normal users will own files in that directory. Normal users should be able to read anything that permissions allow in /backups so that they can restore files from the backup. I was planning on using the nullfs fs type to achieve the second mountpoint for the fs. Is this possible? Thanks, Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"