I've been working on Windows ACL support for BackupPC.
Here's my approach :
I first let the normal backup process run, using ssh+rsync. Then I
call setacl.exe (http://setacl.sourceforge.net) through ssh to dump
the ACLs of the saved files. I put it in
Upon restore, I modify this list to only contain the selected files,
and to reflect the new location they are being saved to, and then I
call setacl.exe again on the target host to restore the ACLs.
I believe that the approach of using a second channel to save ACLs
separately from the files is good, because regular file transfer tools
that support ACLs tend to also do all kinds of semantic mappings, and
we might as well loose information in the round-trip --especially
regarding the richer w2k/xp semantics. Cross-platform ACL support also
implies that you have included your BackupPC server in your Windows
or ActiveDirectory domain --a pain to set up.
Here are some of the shortcomings of the current implementation:
- it relies on sshd. We could do something with samba's smbcacls, but
I feel it is much too primitive for serious ACL backup. Maybe it
should be patched to support SDDL (MS's textual ACL description
language) first. Then we could get a 100% Samba solution.
- it only works if ssh+rsync are used to back up each Windows
client. Nothing one can't do, but a little bothersome to setup. I
believe it should be possible to use setacl's network support to use
a single Windows "pivot" server (with sshd) to manipulate ACLs on all
the other computers of a domain.
- it is not well integrated in the BackupCP code. I inserted code in
BackupPC_dump and BackupPC_restore, but a new module could be more
appropriate. I am not satisfied with my choice of config parameters.
Variable expansion in config parameters is ad-hoc, and
there could be some issues if the values interfere with regexp
syntax --I believe there is alread expansion code hidden somewhere in
BackupPC. Also, my Perl looks like I was writing Python code;)
- its output is not logged. I watch it from the command-line. So, no
error reporting from the user's point-of-view.
- it is not well tested. The ssh command's special character
expansion is still magic to me, so I may have missed some gotchas. I
got it to work on my Wife's single w2k NTFS disk. I haven't tried
file or owner names with special or non-ascii characters yet.=20
- I'm still struggling with Windows permissions (how do I know if I
have enough of them to backup and restore files and their
permissions?) and setacl.exe. Right now I'm getting the
dreaded "The data area passed to a system call is too small" error,
but I feel it's not my fault so I'm posting this code anyway.
- I haven't documented it (yet). You need to install SSHD (plus rsync
and setacl.exe) to get it working. I'll write down my procedure someday.
The two files I've modified, as well as my client config file are
available here :
I would greatly appreciate comments on the code by someone familiar
with the BackupPC internals. I will at least try to clean it up and
follow your suggestions before it gets published any further.
I would also like comments by people who are familiar with Windows ACLs.
The Free Software offering for backup is strong and rich, but Windows
ACL backup is still mostly missing. Not for long, I hope.
Big trouble ahead: