[Server-devel] Backup of user home

John Watlington wad at laptop.org
Tue Sep 15 01:31:37 EDT 2009


On Sep 15, 2009, at 1:12 AM, Raul Gutierrez Segales wrote:

> On Mon, 2009-09-14 at 19:43 -0400, John Watlington wrote:
>> You are correct.   Since your backup script by definition needs to
>> read ALL data,
>> regardless of ownership or permissions, you will have to run it with
>> superuser
>> priviledges.
>
> Unless, if this isn't a huge security hole, we can relax permissions
> (i.e. chmod -R g+r /library/users and reconfigure whatever creates  
> users
> backups with ownership SN:SN to use SN:wheel).
So you go around modifying the group of all the user's files.
That is assuming that nothing on the XO cares about group or group
permission, isn't it ?

>> Why don't you consider using the rsync server, instead of invoking it
>> through a user ?
>>
>
> What is the advantage of doing this instead of a pull using rsync
> thourgh ssh as proposed by Rodolfo? That the rsync server would run as
> root (hence we would have access to the whole filesystem)?

Not at all.   An rsync server can be configured to only expose parts of
the filesystem, and can expose them read-only if desired.

Enabling a pull using rsync through ssh allows a lot of other nastiness
to be performed if cracked, not just reading the user's data.

wad

>
> Raúl
>
>
>> John
>>
>>
>> On Sep 14, 2009, at 3:26 PM, Rodolfo D. wrote:
>>
>>> Hello:
>>>
>>> I'm working on a backup and restore feature for our schoolservers,
>>> and I got stuck on home directories of laptops
>>>
>>> The backup works like this.. based on the backup script provided by
>>> dsd, and also based on our specific features.. I placed all
>>> important data in a directory "/library/backup" (wich can later be
>>> tar, ziped, and in our case rsync-ed), and its being done by a cron
>>> job
>>>
>>> On a centralized backup server.. we have a script that PULLS the /
>>> library/backup of each server, so main configs are being saved
>>> without much hassle.. But when it comes to user directories, it
>>> lack permissions, because the /library/users/SN directory has no
>>> read permissions for others
>>>
>>> how would you recomend that we do this?
>>>
>>> My first thought was to simply just add recursive read permissions
>>> to the user folder.. but that doesn't take security in mind..
>>> perhaps there's another way
>>>
>>> for now our pull works like this:
>>>
>>> root at backupserver ~ $ rsync user at schoolserver:/library/backup/ /
>>> backup/schoolserver/backup/
>>> root at backupserver ~ $ rsync user at schoolserver:/library/users/ /
>>> backup/schoolserver/users/
>>>
>>> root at backupserver ~ $ rsync user2 at schoolserver2:/library/backup/ /
>>> backup/schoolserver/backup/
>>> root at backupserver ~ $ rsync user2 at schoolserver2:/library/users/ /
>>> backup/schoolserver/users/
>>>
>>> Doing a push as a cron job from the server was a second idea, but
>>> the backup server does "other" things so security in the backup
>>> server is very important
>>>
>>> Any ideas?
>>>
>>> cheers..
>>>
>>> -- 
>>> Rodolfo
>>>
>>> _______________________________________________
>>> Server-devel mailing list
>>> Server-devel at lists.laptop.org
>>> http://lists.laptop.org/listinfo/server-devel
>>
>> _______________________________________________
>> Server-devel mailing list
>> Server-devel at lists.laptop.org
>> http://lists.laptop.org/listinfo/server-devel
>>
>



More information about the Server-devel mailing list