[ale] root_squash on backup server

Jim Kinney jim.kinney at gmail.com
Tue Oct 1 18:34:34 EDT 2013 

Hi John,

You need root_squash on AND an amanda user with a matching UID/GID
 that owns the nfs share. That way amanda can read and write and root
access is no needed.

It may be required to run idmapd to translate between nfs-server:amanda and
backup-system:amanda if the GIDs can't be made to match.

If the network uses LDAP, then just create the amanda user in LDAP and
should just work with root_squash on.

The only headache is if at some point a low-level process that must run as
root also needs to access the backup space. It just won't work unless you
can copy files as amanda to another place as root. I got hit with this
using bacula and a remote nfs share with root_squash on and a need to run
low-level btape commands. it just wouldn't work. Root user was totally
barred from accessing the space.


On Tue, Oct 1, 2013 at 5:38 PM, John Heim <john at johnheim.net> wrote:

> My department got some space on a file server at another department. I can
> access it via an NFS mount. BBut I guess the root_squash option is set for
> the share because all the files I create are owned by nobody:root and I
> can't change the ownership. I want to use this space for amanda virtual
> tapes. Amanda doesn't want to run as user root.
>
> So I'm thinking of asking the other department to turn off root_squash
> (set no_root_squash option for the share). But I don't want to look like a
> dope so I want to make sure I'm right about one thing ... It doesn't make
> my data any less secure, right? Here's my reasoning:
>
> I can create files only as nobody:root anyway. The share is restricted by
> IP to just one machine. But if somebody gets past that (by spoofing the IP
> address or whatever) and mounts the share, they'd have the same access as I
> do when I'm using the share legitimately. That is true regardless of
> whether the root_squash or no_root_squash option is set.
>
> If there were other users besides root creating files on the share it
> would be different. You don't want  john getting access to mary's files by
> just becoming root on his own machine. John could plug his laptop into the
> network, su to root, mount mary's home directory, and read her files. The
> root_squash option prevents that but it doesn't apply in the case of a
> backup server, right? If somebody gets past the IP restriction, they'd ahve
> the same access regardless of whether  whether root is squashed. (I think.)
>
>
>
> I think I'm going to have to figure out how to encrypt  data written to a
> amanda virtual tape. But that's a question for the amanda list.
>
> ______________________________**_________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/**listinfo/ale<http://mail.ale.org/mailman/listinfo/ale>
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/**listinfo<http://mail.ale.org/mailman/listinfo>
>



-- 
-- 
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20131001/155ea2d6/attachment-0001.html>

More information about the Ale mailing list