[opensuse] A Problem of Permission, Groups and Backintime
Good day to everyone. I have a comprehension problem of permissions, groups and "back in time". Following situation: user A permissions 700 user B permissions 700 both users belong to group "users" now: A (and only A!) should be able to backup the data of A and B. This to avoid confusion of the user and make sure he/she it does not log out the user before the process of backup has finished. The account A is also an account were no "surfing" or "games" and so on are taking place, thus it is somewhat more valuable than B. Backintime should be configured to run residential. It should recognize when the external disk for backup is attached by the user and should do then a backup (if criteria are met in terms of time and changes). B should not be able to do this. Thus when (while user in B) a hdd is attached, the resident process should not start the backup. (This is the desired setup). Both user should stay however in the situation of 700 to each other (as I cannot exclude that in future there will be a third account that shall not have access rights to neither A nor B. One though I have was that I could define a group e.g. backintime so to be able to use backintime you would be necessarily a member of it. But that does not resolve me the problem of different access rights for A and B for what is the functionality of backintime. I do not think that I could make that new user without being part of "users" because I suppose a lot of scripts are taking for granted that you are part of users. Am I mistaken here? And how would I have to define access rights? If I give backintime root access, this would be unnecessarily wide as it should not run as root, it only hat to do a backup of the two home directories. So in short: how to define two users A and B in order to give A access to the files to B in order to backup them, not give that rights to B, not to work as root. And maintain (if possible - at least for B) the mutual no access thing). So if necessary A can be able to read B. B shall not be able to read A. Any new user created should have access neither to A nor B. Was that clear of did I loose you completely here? _________________________________________________________________ ________________________________________________________ Ihre E-Mail-Postf�cher sicher & zentral an einem Ort. Jetzt wechseln und alte E-Mail-Adresse mitnehmen! https://www.eclipso.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
12.01.2020 11:03, stakanov пишет:
Good day to everyone. I have a comprehension problem of permissions, groups and "back in time".
Following situation: user A permissions 700 user B permissions 700
Users do not have permissions - files do.
both users belong to group "users"
now: A (and only A!) should be able to backup the data of A and B. This to avoid confusion of the user and make sure he/she it does not log out the user before the process of backup has finished. The account A is also an account were no "surfing" or "games" and so on are taking place, thus it is somewhat more valuable than B.
Backintime should be configured to run residential. It should recognize when the external disk for backup is attached by the user and should do then a backup (if criteria are met in terms of time and changes).
B should not be able to do this. Thus when (while user in B) a hdd is attached, the resident process should not start the backup. (This is the desired setup). Both user should stay however in the situation of 700 to each other (as I cannot exclude that in future there will be a third account that shall not have access rights to neither A nor B.
One though I have was that I could define a group e.g. backintime so to be able to use backintime you would be necessarily a member of it. But that does not resolve me the problem of different access rights for A and B for what is the functionality of backintime.
You can set ACL allowing this specific group access to all files.
I do not think that I could make that new user without being part of "users" because I suppose a lot of scripts are taking for granted that you are part of users. Am I mistaken here?
I am not aware of any dependency on specific user group. Actually having all users in the same group by default is rather dumb as this effectively makes group permissions useless.
And how would I have to define access rights? If I give backintime root access, this would be unnecessarily wide as it should not run as root, it only hat to do a backup of the two home directories.
So in short: how to define two users A and B in order to give A access to the files to B in order to backup them,
There is no notion of "backup right" in Unix. You must give user A full read access to files of user B if you want user A to be able to (directly) backup files of user B.
not give that rights to B, not to work as root. And maintain (if possible - at least for B) the mutual no access thing).
So if necessary A can be able to read B. B shall not be able to read A. Any new user created should have access neither to A nor B.
The only reliable way to make it work is to have backup program run as root. You may play with SGID directories bit or with ACL allowing access but at the end each user is free to change permissions of own files. To restrict possible damage it may be possible to run backup in separate process and mount namespace, bind-mounting needed directories and giving backup program root permissions in this namespace only. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
In data domenica 12 gennaio 2020 09:45:20 CET, Andrei Borzenkov ha scritto:
12.01.2020 11:03, stakanov пишет:
Good day to everyone. I have a comprehension problem of permissions, groups and "back in time".
Following situation: user A permissions 700 user B permissions 700
Users do not have permissions - files do.
both users belong to group "users"
now: A (and only A!) should be able to backup the data of A and B. This to avoid confusion of the user and make sure he/she it does not log out the user before the process of backup has finished. The account A is also an account were no "surfing" or "games" and so on are taking place, thus it is somewhat more valuable than B.
Backintime should be configured to run residential. It should recognize when the external disk for backup is attached by the user and should do then a backup (if criteria are met in terms of time and changes).
B should not be able to do this. Thus when (while user in B) a hdd is attached, the resident process should not start the backup. (This is the desired setup). Both user should stay however in the situation of 700 to each other (as I cannot exclude that in future there will be a third account that shall not have access rights to neither A nor B.
One though I have was that I could define a group e.g. backintime so to be able to use backintime you would be necessarily a member of it. But that does not resolve me the problem of different access rights for A and B for what is the functionality of backintime.
You can set ACL allowing this specific group access to all files.
I do not think that I could make that new user without being part of "users" because I suppose a lot of scripts are taking for granted that you are part of users. Am I mistaken here?
I am not aware of any dependency on specific user group. Actually having all users in the same group by default is rather dumb as this effectively makes group permissions useless.
And how would I have to define access rights? If I give backintime root access, this would be unnecessarily wide as it should not run as root, it only hat to do a backup of the two home directories.
So in short: how to define two users A and B in order to give A access to the files to B in order to backup them,
There is no notion of "backup right" in Unix. You must give user A full read access to files of user B if you want user A to be able to (directly) backup files of user B.
not give that rights to B, not to work as root. And maintain (if possible - at least for B) the mutual no access thing).
So if necessary A can be able to read B. B shall not be able to read A. Any new user created should have access neither to A nor B.
The only reliable way to make it work is to have backup program run as root. You may play with SGID directories bit or with ACL allowing access but at the end each user is free to change permissions of own files.
To restrict possible damage it may be possible to run backup in separate process and mount namespace, bind-mounting needed directories and giving backup program root permissions in this namespace only.
So provided: user A and B are part of "users" "backintimeuser" is part of "backintimers" if I sudo setfacl -Rm g:backintimer:r /home/A sudo setfacl -Rm g:backintimer:r /home/B should get all the existing files of A and B in their home accessible to backintimers. In order to give all future files and directories created the permission to be backedup by a backintimermemeber I would then emit: sudo setfacl -Rdm g:backintimer:r /home/A sudo setfacl -Rdm g:backintimer:r /home/B for all future entries. Is this correct so far? Can I use these commands (per user) in one line only while applying? Do I have to have more than read rights to the directories to backup? Thank you. _________________________________________________________________ ________________________________________________________ Ihre E-Mail-Postf�cher sicher & zentral an einem Ort. Jetzt wechseln und alte E-Mail-Adresse mitnehmen! https://www.eclipso.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
14.01.2020 17:37, stakanov пишет:
In data domenica 12 gennaio 2020 09:45:20 CET, Andrei Borzenkov ha scritto:
12.01.2020 11:03, stakanov пишет:
Good day to everyone. I have a comprehension problem of permissions, groups and "back in time".
Following situation: user A permissions 700 user B permissions 700
Users do not have permissions - files do.
both users belong to group "users"
now: A (and only A!) should be able to backup the data of A and B. This to avoid confusion of the user and make sure he/she it does not log out the user before the process of backup has finished. The account A is also an account were no "surfing" or "games" and so on are taking place, thus it is somewhat more valuable than B.
Backintime should be configured to run residential. It should recognize when the external disk for backup is attached by the user and should do then a backup (if criteria are met in terms of time and changes).
B should not be able to do this. Thus when (while user in B) a hdd is attached, the resident process should not start the backup. (This is the desired setup). Both user should stay however in the situation of 700 to each other (as I cannot exclude that in future there will be a third account that shall not have access rights to neither A nor B.
One though I have was that I could define a group e.g. backintime so to be able to use backintime you would be necessarily a member of it. But that does not resolve me the problem of different access rights for A and B for what is the functionality of backintime.
You can set ACL allowing this specific group access to all files.
I do not think that I could make that new user without being part of "users" because I suppose a lot of scripts are taking for granted that you are part of users. Am I mistaken here?
I am not aware of any dependency on specific user group. Actually having all users in the same group by default is rather dumb as this effectively makes group permissions useless.
And how would I have to define access rights? If I give backintime root access, this would be unnecessarily wide as it should not run as root, it only hat to do a backup of the two home directories.
So in short: how to define two users A and B in order to give A access to the files to B in order to backup them,
There is no notion of "backup right" in Unix. You must give user A full read access to files of user B if you want user A to be able to (directly) backup files of user B.
not give that rights to B, not to work as root. And maintain (if possible - at least for B) the mutual no access thing).
So if necessary A can be able to read B. B shall not be able to read A. Any new user created should have access neither to A nor B.
The only reliable way to make it work is to have backup program run as root. You may play with SGID directories bit or with ACL allowing access but at the end each user is free to change permissions of own files.
To restrict possible damage it may be possible to run backup in separate process and mount namespace, bind-mounting needed directories and giving backup program root permissions in this namespace only.
So provided: user A and B are part of "users" "backintimeuser" is part of "backintimers" if I sudo setfacl -Rm g:backintimer:r /home/A sudo setfacl -Rm g:backintimer:r /home/B
should get all the existing files of A and B in their home accessible to backintimers. In order to give all future files and directories created the permission to be backedup by a backintimermemeber I would then emit:
sudo setfacl -Rdm g:backintimer:r /home/A sudo setfacl -Rdm g:backintimer:r /home/B
for all future entries. Is this correct so far?
Default ACL are needed on directories only, so it will waste some space, otherwise I would say yes.
Can I use these commands (per user) in one line only while applying?
Not sure I understand this question. You can combine multiple ACL in one argument and have multiple file arguments if that is your question.
Do I have to have more than read rights to the directories to backup?
You need to allow directory traversal ('x' bit). 'r' bit on directory allows listing its content, but to descend in sub-directory you need 'x' bit. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
In data martedì 14 gennaio 2020 19:07:59 CET, Andrei Borzenkov ha scritto:
14.01.2020 17:37, stakanov пишет:
In data domenica 12 gennaio 2020 09:45:20 CET, Andrei Borzenkov ha scritto:
12.01.2020 11:03, stakanov пишет:
Good day to everyone. I have a comprehension problem of permissions, groups and "back in time".
Following situation: user A permissions 700 user B permissions 700
Users do not have permissions - files do.
both users belong to group "users"
now: A (and only A!) should be able to backup the data of A and B. This to avoid confusion of the user and make sure he/she it does not log out the user before the process of backup has finished. The account A is also an account were no "surfing" or "games" and so on are taking place, thus it is somewhat more valuable than B.
Backintime should be configured to run residential. It should recognize when the external disk for backup is attached by the user and should do then a backup (if criteria are met in terms of time and changes).
B should not be able to do this. Thus when (while user in B) a hdd is attached, the resident process should not start the backup. (This is the desired setup). Both user should stay however in the situation of 700 to each other (as I cannot exclude that in future there will be a third account that shall not have access rights to neither A nor B.
One though I have was that I could define a group e.g. backintime so to be able to use backintime you would be necessarily a member of it. But that does not resolve me the problem of different access rights for A and B for what is the functionality of backintime.
You can set ACL allowing this specific group access to all files.
I do not think that I could make that new user without being part of "users" because I suppose a lot of scripts are taking for granted that you are part of users. Am I mistaken here?
I am not aware of any dependency on specific user group. Actually having all users in the same group by default is rather dumb as this effectively makes group permissions useless.
And how would I have to define access rights? If I give backintime root access, this would be unnecessarily wide as it should not run as root, it only hat to do a backup of the two home directories.
So in short: how to define two users A and B in order to give A access to the files to B in order to backup them,
There is no notion of "backup right" in Unix. You must give user A full read access to files of user B if you want user A to be able to (directly) backup files of user B.
not give that rights to B, not to work as root. And maintain (if possible - at least for B) the mutual no access thing).
So if necessary A can be able to read B. B shall not be able to read A. Any new user created should have access neither to A nor B.
The only reliable way to make it work is to have backup program run as root. You may play with SGID directories bit or with ACL allowing access but at the end each user is free to change permissions of own files.
To restrict possible damage it may be possible to run backup in separate process and mount namespace, bind-mounting needed directories and giving backup program root permissions in this namespace only.
So provided: user A and B are part of "users" "backintimeuser" is part of "backintimers" if I sudo setfacl -Rm g:backintimer:r /home/A sudo setfacl -Rm g:backintimer:r /home/B
should get all the existing files of A and B in their home accessible to backintimers. In order to give all future files and directories created the permission to be backedup by a backintimermemeber I would then emit:
sudo setfacl -Rdm g:backintimer:r /home/A sudo setfacl -Rdm g:backintimer:r /home/B
for all future entries. Is this correct so far?
Default ACL are needed on directories only, so it will waste some space, otherwise I would say yes.
For "first arms" experience I choose then to "squander" a bit of space. Building on that I will have probably more time to do some further experience on a local "testing" case.
Can I use these commands (per user) in one line only while applying?
Not sure I understand this question. You can combine multiple ACL in one argument and have multiple file arguments if that is your question.
Yes, in fact. I apologize for my somewhat "rustic" way of asking. Thank you.
Do I have to have more than read rights to the directories to backup?
You need to allow directory traversal ('x' bit). 'r' bit on directory allows listing its content, but to descend in sub-directory you need 'x' bit.
O.K. that saves me, as I did not know this at all. Thank you very much. sudo setfacl -Rm g:backintimer:rx /home/A sudo setfacl -Rm g:backintimer:rx /home/B sudo setfacl -Rdm g:backintimer:rx /home/A sudo setfacl -Rdm g:backintimer:rx /home/B should then give the desired xbit. _________________________________________________________________ ________________________________________________________ Ihre E-Mail-Postf�cher sicher & zentral an einem Ort. Jetzt wechseln und alte E-Mail-Adresse mitnehmen! https://www.eclipso.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Andrei Borzenkov -
stakanov