I would like to give a select number of 'backup operators' -- those who can mount volumes (smb shares) and those who may write to the tape device.
Since the tape device is group owned by disk, I'm assuming the proper way to give these backup operators permissions to write to it is by putting them in group disk.
What about smbmounting? Should I added group disk to sudoers and give that group permissions to run smbmount?
Dear David,
What you suggest is tempting, but actually a blind alley. If you put the operators in group disk they will have enormous power to do damage (e.g. they can write to raw disc partitions) but they still won't have the power they need to read all files to back them up.
I think it is better to design your backup scripts to run as root, and use sudo to restrict access to those scripts. It is certainly simpler, and complexity is the enemy of security.
Bob
On Wed, 1 Feb 2006, David Bear wrote:
I would like to give a select number of 'backup operators' -- those who can mount volumes (smb shares) and those who may write to the tape device.
Since the tape device is group owned by disk, I'm assuming the proper way to give these backup operators permissions to write to it is by putting them in group disk.
What about smbmounting? Should I added group disk to sudoers and give that group permissions to run smbmount?
-
Bob Vickers -
David Bear