-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backup jobs don't preserve permissions/ownership #201
Comments
Hi @MihkelParna From Rsync manual:
|
I've tried all of the options and they don't have an effect on the owner. The ending permissions are still 'elkarbackup'. |
Where did you install? Debian? Ubuntu?
Which version?
… El 10 mar 2017, a las 11:13, Mihkel Pärna ***@***.***> escribió:
I've tried all of the options and they don't have an effect on the owner. The ending permissions are still 'elkarbackup'.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
You can edit /etc/cron.d/elkarbackup to change owner of the tick cron to root. That allows ownership preserving. After doing this, you will need to copy the .ssh folder from the elkarbackup home directory to the root user. |
hello |
Regarding the --fake-super , it needs user_xattr mount option, which isn't included in the fs mount "defaults, for the ownership infos to be written in xattrs.. |
Changing to execute as root user in the cron preserved the ownerships. It'll work for now, cheers |
@rderksenMM does it work the file browsing under the "Restore" option? Can you restore a file preserving the permissions and the ownership? Thanks |
I can browse to the file and download it from the web interface, but
then the file ownership changes obviously to the user that I am
downloading the file with.
I'm new to elkarbackup so I don't know if there is a "restore" button
somewhere in the web interface?
In any case if I go in command line and "rsync -a" to restore the file,
it restores fine and keeps the ownership, so that is fine for me.
Best,
RD
…On 04/06/2017 03:35 PM, Xabi wrote:
@rderksenMM <https://github.com/rderksenMM> does it work the file
browsing under the "Restore" option? Can you restore a file preserving
the permissions and the ownership?
Thanks
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#201 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AZtxUsoH9Xc1YTw_85BTzY6J0q-HQMwAks5rtOokgaJpZM4MYWLQ>.
--
**Attention: Confidential**
This email message is for the sole use of the intended recipient(s) and may
contain confidential and/or privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact me by reply email and
destroy all copies of the original message.
|
In theory you can download the tgz file and decompress it as root/sudo. It will preserve the correct permissions and ownership. |
ok thanks for the info. I actually just tested with a file, and the tgz
option is only available for directories. I'll try with a directory.
…On 04/06/2017 04:06 PM, Xabi wrote:
but then the file permissions changes obviously to the user that I
am downloading the file with
In theory you can download the tgz file and decompress it as
root/sudo. It will preserve the correct permissions and ownership.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#201 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AZtxUg2KHEn2ogetiiJM0AckUntbPbn0ks5rtPFJgaJpZM4MYWLQ>.
--
**Attention: Confidential**
This email message is for the sole use of the intended recipient(s) and may
contain confidential and/or privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact me by reply email and
destroy all copies of the original message.
|
I just did an experimentation to see how things are. File is still backed up, no matter the ownership or privileges if the tick cron runs as root. But restore via the web UI may vary. The issue mentioned above isn't an issue for me as I will likely just restore files via rsync anyway to preserve ownership. I'm thinking Elkar should implement an rsync restore function in the web ui similar to what is described at #203 |
agreed with James, same here |
Running the built-in web server as root (I have it running through an Apache proxy) solves the permission problem. Although this seems stable, there may be security issues to this... But for us this works. |
Could you explain how did you do that @gvdijnsen we can document it then if someone else likes the solution! Thanks! |
As far as documentation, you can edit /etc/apache2/apache2.conf and look for the line with the User configuration. It is on line 109 in the configuration on my system. Replace both the User and the Group configuration with the below.
Then restart the computer or restart the service. On Debian 8 (or any other SystemD based system)
On Debian 7 (or any other init based system)
Where the Apache configuration is located can differ from machine to machine, for an example in CentOS: /etc/httpd/conf/httpd.conf |
OK!
I didn't understand what you mean with an apache proxy!
As you said this solution is not really secure for your system, but if
going to be only for an internal network could be a solution.
We would think about it!
Thanks!
2017-05-09 14:53 GMT+02:00 JamesColeman-SH <notifications@github.com>:
… As far as documentation, you can edit /etc/apache2/apache2.conf and look
for the line with the User configuration. It is on line 109 in the
configuration on my system. Replace both the User and the Group
configuration with the below.
User root
Group root
Then restart the computer or restart the service.
On Debian 8 (or any other SystemD based system)
systemctl restart apache2
On Debian 7 (or any other init based system)
service apache2 restart
Where the Apache configuration is located can differ from machine to
machine, for an example in CentOS: /etc/httpd/conf/httpd.conf
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#201 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABlt9CUdrzTqobXccR80cvzYrteBBJ1Nks5r4GGwgaJpZM4MYWLQ>
.
|
@antton I can't exactly read minds or anything, but that would be the way I would run Apache as root. The way @gvdijnsen did it could be totally different, and yes... It can be a HUGE security risk. For an example, if a flaw is found to where someone can pass any code to execute on the remote machine, that means they will have root access and be able to inject a root kit on your system. |
@JamesColeman-SH @antton what I did was the following: I entered this in a /etc/cron.d/elkarbackup:
This causes the internal web server to start up. Then I created a virtualhost in Apache that handles the SSL layer and proxies the request. This also helps security a litttle since only valid http requests will be forwarded and the internal web server is protected somewhat:
Please note: This only works if you enable the proxy and the proxy_http modules in Apache. Because everything is behind a firewall I am willing to live with the possible security consequences, but be careful if you open this to the Internet. |
Hi,
Here how i mount /mnt/backup-server (fstab)
I've tried to switch on and off "Use local permissions" on the job. |
Hi @vassiskansa Could you explain what are you trying to do? Anyway, let us know something more, it looks like you have problems with the ACLs but I'm not completly sure about that. Thanks! |
Hi @antton , i'm trying to backup many linux servers. I've tried to make cron execution by root but the problem is already here. My hosting has many problem to change owner of the file, however i'm trying to bypass this (rsync work very well, but there is a warning changing file owner). |
Hi @sgregori , yes it's normal. Does it cause any problem in your system? In this case, is it somehow related to this issue or is a new one? Thanks |
@xezpeleta , can you boot any backup without the correct permissions ? I have a daily getfacl cronjob, for easy restoring acl's in case of disaster. |
I see, but currently that's not possible with Elkarbackup. I know there are some workarounds (see comments above), but not officially supported by Elkarbackup. The thing is: it's not trivial to do it. There are some features that would broke (like web access to backup files). Or you need to set up your system in a non-secure way (like apache running with root user). So that's why it's still pending. |
Hi, we've been exploring a different approach to do that, using https://github.com/elkarbackup/elkarbackup-scripts/tree/master/backup-permissions I think it's an easy / secure way to achieve the permissions/ownership preservation. The only drawback is that the restore needs two steps: one to obtain the files and another one to recover the permissions using |
Hi everyone , new fresh install of elkarbackup on debian 9 , and all files saved are elkarbackup:elkarbackup owner/group and permission files ommitted too. I don't understand why. I've try to mod copyrepository.sh added pog arguments to the rsync command, clear the cache of symfony. I can see the changes via the elkar interface showing the backupscript but no effect Thanks for advance |
This is by design and as @xezpeleta said non-trivial to fix. |
Just a tip in case someone catches on this issue and really tries to give a solution to this by design limitaion. Maybe we could preserve original permissions and do a wise use of mount options in order to avoid SUID execution. Or maybe we could even try to restrict access to backup files with Apparmour (or SELinux: https://security.stackexchange.com/questions/30116/restrict-access-to-a-specific-directory-on-linux ) Then we could use "bindfs" (https://bindfs.org/) to make the files accesible for Elkarbackup's restore web interface. Not a simple an obvious task but probable doable and quite robust if done properly. |
Note I just found a bug that affected local permission backups on upgrade: #529 |
@igorbga, I'm just the peanut gallery, but I have to say that sounds at least an excellent way for this project to move forward |
Did that too. The GUI can still access the files. File and tar download still work. I will put a remark into our own documentation to check the cron job on every ELKARbackup update. Thanks to @JamesColeman-SH for this great workaround! |
Hi,
So we are testing elkarbackup and I ran into an issue where backups are in the 'elkarbackup' user permissions. In the client part under rsync attributes it mentions that the '-a' flag is on by default and ive added the -p flag to bring the permissions over as well but in the end all files are owned by 'elkarbackup' user and group.
At first glance I could not find a way how to preserve permissions while doing a backup (file ownership and permissions)
The text was updated successfully, but these errors were encountered: