backup under privileged mode (unix permissions)

S

Simon Strandgaard

I have some data which I make a backup of on daily basis.
The data has many different owners/groups.

I have writen some Ruby which does the job (when logged in as root).
I don't like running things as root, so I have created a dedicated
account only for backup, under which the backup script is supposed
to be executed.

Unfortunatly I cannot figure out the last part (running the
ruby script with root read-permissions).

Q1: How should I setup the right permissions (setuid, /etc/group), any ideas ?
Q2: How do you execute your backup scripts with the right permissions ?

--
Simon Strandgaard



At that point where my script invokes 'cvslock', then it
fails like this:

cvsbackup@server> ruby backup.rb
NEONEYE'S CVS-BACKUP TOOL
source="/reliable/"
dest="/home/cvsbackup/todays_snapshot_of_cvs/"
stamp="20030911_23"
dropzone="[email protected]:backup/."
COMPRESSING REPOSITORIES
#3 public_documents ... cvslock: Error while locking repository.
backup.rb:39:in `size': No such file or directory - /home/cvsbackup/todays_snapshot_of_cvs/
public_documents/20030911_23.tar.gz (Errno::ENOENT)
from backup.rb:39:in `backup'
from backup.rb:47:in `pretty_backup'
from backup.rb:44:in `each'
from backup.rb:44:in `pretty_backup'
from backup.rb:70:in `execute'
from backup.rb:77
cvsbackup@server>




cvsbackup@server> expand -t2 backup.rb
require 'fileutils'

class Backup
# these constants must be absolute paths,
# Ruby doesn't like "~/stuff" kind of paths!
DIR_SOURCE = "/reliable/"
DIR_DEST = "/home/neoneye/todays_snapshot_of_cvs/"
DROPZONE = "[email protected]:backup/."

def initialize
@stamp = prepare_stamp
prepare_dirs
end
def prepare_stamp
Time.now.strftime("%Y%m%d_%H")
end
def prepare_dirs
if FileTest.exists?(DIR_DEST)
FileUtils.rm_r DIR_DEST, :force => true
end
FileUtils.mkdir_p DIR_DEST, :mode => 0700
end
def names # repository_names
Dir.chdir(DIR_SOURCE)
Dir["*"]
end
def backup(name)
dir_dest = DIR_DEST + name + "/"
dest = dir_dest + @stamp + ".tar.gz"
cmd_nest = "tar cfz #{dest} #{name}"
cmd = "cvslock -q -d #{name} -c \"#{cmd_nest}\" ."

# tar doesn't like leading '/' (slashes)
# thus we must chdir to DIR_SOURCE
Dir.chdir(DIR_SOURCE)
FileUtils.mkdir_p dir_dest, :mode => 0700
system(cmd)

FileTest.size(dest) # return number of bytes
end
def pretty_backup
ary = names
n = ary.size
ary.each do |name|
print "##{n} #{name} ... "
$stdout.flush
bytes = backup(name)
puts "OK (#{bytes} bytes)"
n -= 1
end
end
def transfer
# transfer to remote host
Dir.chdir(DIR_DEST)
system("scp -rBq * #{DROPZONE}")
end
def info
<<MSG
source=#{DIR_SOURCE.inspect}
dest=#{DIR_DEST.inspect}
stamp=#{@stamp.inspect}
dropzone=#{DROPZONE.inspect}
MSG
end
def Backup.execute
i = Backup.new
puts "NEONEYE'S CVS-BACKUP TOOL"
puts i.info
puts "COMPRESSING REPOSITORIES"
i.pretty_backup
puts "TRANSFERING REPOSITORIES"
i.transfer
puts "DONE"
end
end

Backup.execute
cvsbackup@server>
 
S

Sean O'Dell

Simon said:
I have some data which I make a backup of on daily basis.
The data has many different owners/groups.

I have writen some Ruby which does the job (when logged in as root).
I don't like running things as root, so I have created a dedicated
account only for backup, under which the backup script is supposed
to be executed.

Unfortunatly I cannot figure out the last part (running the
ruby script with root read-permissions).

Q1: How should I setup the right permissions (setuid, /etc/group), any ideas ?
Q2: How do you execute your backup scripts with the right permissions ?

It gets complicated (I've been there), and sometimes you just have to
say "hey, that's what root is for."

Assuming your backup script isn't executing anything else through the
"system" method and such, you probably can't make much use out of
playing with the real/effective user id's. Your problem is probably
strictly that you need permission to read the files you need backed up.

First thought: run it as root. IMO, that's one of the few things root
is really there for.

A slightly less "certain" method would be to make your backup user a
member of every group who might own files you want to back up. You do
this by editing the /etc/group file so that each group you want to add
backup to looks something like this:

groupname:x:user,backup

.... then the backup user will have group permissions for every file
whose group is one of those groups. Unfortunately, if the file is
readable by the user, but not by the group the file is owned by, your
backup script will still not be able to read the file.

So, back to square one: run it as root. =)

Sean O'Dell
 
S

Simon Strandgaard

Simon said:
I have some data which I make a backup of on daily basis.
The data has many different owners/groups.

I have writen some Ruby which does the job (when logged in as root).
I don't like running things as root, so I have created a dedicated
account only for backup, under which the backup script is supposed
to be executed.

Q1: How should I setup the right permissions (setuid, /etc/group), any ideas ?
Q2: How do you execute your backup scripts with the right permissions ?
[snip]
A slightly less "certain" method would be to make your backup user a
member of every group who might own files you want to back up. You do
this by editing the /etc/group file so that each group you want to add
backup to looks something like this:

groupname:x:user,backup

Agree, appending 'backup' to most groups is silly :)

... then the backup user will have group permissions for every file
whose group is one of those groups. Unfortunately, if the file is
readable by the user, but not by the group the file is owned by, your
backup script will still not be able to read the file.

So, back to square one: run it as root. =)

I were really overheating my cheap brain, with all these considerations.
You have completely convinced me that run-as-root is the right way to go.


Thanks for the educational text, I appreciate it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top