On Saturday 31 May 2003 06:14, Wojciech Jedliczka wrote:
- Original Message -
From: Gene Heskett
To: Wojciech Jedliczka; Kevin Passey
Sent: Saturday, May 31, 2003 11:24 AM
Subject: Re: Configuring RH7.2 Amanda out of the box - error
accessing Ama nda hosts file.
On Saturday 31 May 2003 04:40, Wojciech Jedliczka wrote:
Hi,
I thought that once I sent the mail so I added both it now
looks like
dilmom.as400resource.com amanda
dilmom amanda
Still no Joy !!
Thanks for your reply anyway.
Regards
Kevin
-Original Message-
*snip*
Amanda Backup Client Hosts Check
ERROR: dilmom: [access as amanda not allowed from
[EMAIL PROTECTED] open of /home/amanda/.amandahosts failed
^
Check the owner and permisions of '/home/amanda/.amandahosts' -
should be amanda.disk and 660.
WJ
Nope, 0600. RTM please.
--
Cheers, Gene
Gene,
I always RTFM many times.
Inside all docs files in amanda distribution is no place
giving suggestion about .amandahosts permissions.
Amandahosts file is used for authorization and therefore
it is important who owns these file and who has access
to read and write.
From the security point of view is better to has 600
than 660 but both are acceptable for me.
You are absolutely correct in that a grep for 0600 in the docs
directory of the latest image comes back empty. However, its been
quoted here several times that amanda does check those perms, and
will reject the file if anyone BUT amanda (and of course root) has
access rights.
Apparently this is considered a security leak if the software informs
the user whats wrong so that he can fix it. From current snapshot,
common-src/security.c:
--
security.c:ptmp = stralloc2(pwptr-pw_dir, /.amandahosts);
security.c-if((fPerm = fopen(ptmp, r)) == NULL) {
security.c- /*
security.c- * Put an explanation in the amandad.debug log that
will help a
security.c- * system administrator fix the problem, but don't
send a clue
security.c- * back to the other end to tell them what to fix in
order to
security.c- * be able to hack our system.
security.c- */
security.c- dbprintf((%s: fopen of %s failed: %s\n,
security.c- debug_prefix_time(NULL), ptmp,
strerror(errno)));
security.c- *errstr = vstralloc([,
security.c- access as , localuser, not
allowed,
security.c- from , remoteuser, @,
remotehost,
security.c- ] open of ,
security.c- ptmp,
security.c- failed, NULL);
--etc---
The only one place where you can find a note about
.amandahost file permissions is www.backupcentral.com/amanda-13.html
which I am treating as a guide for the Amanda written some day
in the past.
Unless Dave has updated it, its about 2 years old. However, I don't
recall that this particular item has been changed. But as in all
things amanda, I'll defer to the authors if they'd like to chime in
and correct me.
When I am trying to help someone via list I am usually checking
my servers settings and not always RTFM. In this case I have
checked my RH9 Amanda server installed during RH9 automatic
built. Amandahosts has 660 so that is why I have sent such
suggestion for Kevin. My second Amanda server built from
source has .amandahosts 600.
Redhat set incorrect perms on that file in that event, probably so
that their installer didn't have to become 'amanda' to write it in
the first place, and one more reason to excise the rpm completely and
install from a recent tarball. The tarball unpack, configure, build
and install is a 4 minute job on recent hardware, but the
configuration OF the install will take several more hours for the
gnubee.
There are plenty of folks here who will be glad to help you however.
:)
Cheers, Wojtek
--
Cheers, Gene
AMD [EMAIL PROTECTED] 320M
[EMAIL PROTECTED] 512M
99.26% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com attornies please note, additions to this message
by Gene Heskett are:
Copyright 2003 by Maurice Eugene Heskett, all rights reserved.
