bobs-devel

[Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Sylvain M. <sy...@me...>]

Hello,

I'm trying to use bobs to backup 2 folders exported by nfs :
/home/cvsroot and
/home/bugs

All works great for the first directory, but i can't see files  of the se=
cond
directory with the web interface. I suspect the problem is related to the
files'rights :
Files in /home/bugs have the following rights :
[root@machine-cvs root]# ll /home/bugs
total 21000
-rw-r-----    1 mysql    mysql        8868 jui  4  2003 attachments.frm
-rw-r-----    1 mysql    mysql    20388072 sep 27 11:09 attachments.MYD
-rw-r-----    1 mysql    mysql       10240 sep 27 11:09 attachments.MYI
....

The backup seem's to be ok :
sylvain@pasteque bobs $ ll /var/bobsdata/current/machine-cvs/bugzilla
total 21000
-rw-r-----  1 76 76     8868 jui  4  2003 attachments.frm
-rw-r-----  1 76 76 20388072 sep 27 11:09 attachments.MYD
-rw-r-----  1 76 76    10240 sep 27 11:09 attachments.MYI
...

machine-cvs contains directory i want to backup
pasteque is the machine on which bobs is installed.

Do the backuped files and dir have to be readable by apache to appear in =
the
web interface ? Have I to declare user and group mysql with uid and gid 7=
6 on
the machine with bobs ?

thanks for your help !

sylvain

Re: [Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Jochen M. <j.m...@om...>]

Hi,

Am Mo, 2004-11-29 um 10.44 schrieb Sylvain MEILARD:
> Hello,
> 
> I'm trying to use bobs to backup 2 folders exported by nfs :
> /home/cvsroot and
> /home/bugs
> 
> All works great for the first directory, but i can't see files  of the second
> directory with the web interface. I suspect the problem is related to the
> files'rights :
> Files in /home/bugs have the following rights :
> [root@machine-cvs root]# ll /home/bugs
> total 21000
> -rw-r-----    1 mysql    mysql        8868 jui  4  2003 attachments.frm
> -rw-r-----    1 mysql    mysql    20388072 sep 27 11:09 attachments.MYD
> -rw-r-----    1 mysql    mysql       10240 sep 27 11:09 attachments.MYI
> ....
> 
> The backup seem's to be ok :
> sylvain@pasteque bobs $ ll /var/bobsdata/current/machine-cvs/bugzilla
> total 21000
> -rw-r-----  1 76 76     8868 jui  4  2003 attachments.frm
> -rw-r-----  1 76 76 20388072 sep 27 11:09 attachments.MYD
> -rw-r-----  1 76 76    10240 sep 27 11:09 attachments.MYI
> ...
> 
> machine-cvs contains directory i want to backup
> pasteque is the machine on which bobs is installed.
> 
> Do the backuped files and dir have to be readable by apache to appear in the
> web interface ? 
Yes, backups should be readable by bobs, else you will not be able to
view it by bobs, I assume. 


Cheers 

Jochen Metzger

Re: [Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Sylvain M. <sy...@me...>]

> Hi,
>
> Am Mo, 2004-11-29 um 10.44 schrieb Sylvain MEILARD:
>> Hello,
>>
>> I'm trying to use bobs to backup 2 folders exported by nfs :
>> /home/cvsroot and
>> /home/bugs
>>
>> All works great for the first directory, but i can't see files  of the
>> second
>> directory with the web interface. I suspect the problem is related to =
the
>> files'rights :
>> Files in /home/bugs have the following rights :
>> [root@machine-cvs root]# ll /home/bugs
>> total 21000
>> -rw-r-----    1 mysql    mysql        8868 jui  4  2003 attachments.fr=
m
>> -rw-r-----    1 mysql    mysql    20388072 sep 27 11:09 attachments.MY=
D
>> -rw-r-----    1 mysql    mysql       10240 sep 27 11:09 attachments.MY=
I
>> ....
>>
>> The backup seem's to be ok :
>> sylvain@pasteque bobs $ ll /var/bobsdata/current/machine-cvs/bugzilla
>> total 21000
>> -rw-r-----  1 76 76     8868 jui  4  2003 attachments.frm
>> -rw-r-----  1 76 76 20388072 sep 27 11:09 attachments.MYD
>> -rw-r-----  1 76 76    10240 sep 27 11:09 attachments.MYI
>> ...
>>
>> machine-cvs contains directory i want to backup
>> pasteque is the machine on which bobs is installed.
>>
>> Do the backuped files and dir have to be readable by apache to appear =
in the
>> web interface ?
> Yes, backups should be readable by bobs, else you will not be able to
> view it by bobs, I assume.

OK, that's what i was thinking, but the files which are backed up don't h=
ave
the right of reading for others. I'm not sure it's a good idea to change =
the
rights on thoses files. I was hopping there is a way to use cmdloop to pe=
rform
operations for which apache's rights are not enought. am i wrong ? (yes i=
'm
affraid...)

thanks !

sylvain


>
>
> Cheers
>
> Jochen Metzger
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users=
.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Bobs-devel mailing list
> Bob...@li...
> https://lists.sourceforge.net/lists/listinfo/bobs-devel
>
>

Re: [Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Joe Z. <joe...@za...>]

Sylvain MEILARD wrote:

>>Hi,
>>
>>Am Mo, 2004-11-29 um 10.44 schrieb Sylvain MEILARD:
>>    
>>
>>>Hello,
>>>
>>>I'm trying to use bobs to backup 2 folders exported by nfs :
>>>/home/cvsroot and
>>>/home/bugs
>>>
>>>All works great for the first directory, but i can't see files  of the
>>>second
>>>directory with the web interface. I suspect the problem is related to the
>>>files'rights :
>>>Files in /home/bugs have the following rights :
>>>[root@machine-cvs root]# ll /home/bugs
>>>total 21000
>>>-rw-r-----    1 mysql    mysql        8868 jui  4  2003 attachments.frm
>>>-rw-r-----    1 mysql    mysql    20388072 sep 27 11:09 attachments.MYD
>>>-rw-r-----    1 mysql    mysql       10240 sep 27 11:09 attachments.MYI
>>>....
>>>
>>>The backup seem's to be ok :
>>>sylvain@pasteque bobs $ ll /var/bobsdata/current/machine-cvs/bugzilla
>>>total 21000
>>>-rw-r-----  1 76 76     8868 jui  4  2003 attachments.frm
>>>-rw-r-----  1 76 76 20388072 sep 27 11:09 attachments.MYD
>>>-rw-r-----  1 76 76    10240 sep 27 11:09 attachments.MYI
>>>...
>>>
>>>machine-cvs contains directory i want to backup
>>>pasteque is the machine on which bobs is installed.
>>>
>>>Do the backuped files and dir have to be readable by apache to appear in the
>>>web interface ?
>>>      
>>>
>>Yes, backups should be readable by bobs, else you will not be able to
>>view it by bobs, I assume.
>>    
>>
>
>OK, that's what i was thinking, but the files which are backed up don't have
>the right of reading for others. I'm not sure it's a good idea to change the
>rights on thoses files. I was hopping there is a way to use cmdloop to perform
>operations for which apache's rights are not enought. am i wrong ? (yes i'm
>affraid...)
>
>thanks !
>
>sylvain
>
>  
>
But you can still use konqueror to manage the files. You can even split 
the screen with sftp:// or an nfs mount on one side if you want to 
restore files. It's just the restore interface that's innoperative. Any 
ideas on how to fix that without breaking security too badly?

Joe

Re: [Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Sylvain M. <sy...@me...>]

> Sylvain MEILARD wrote:
>
>>>Hi,
>>>
>>>Am Mo, 2004-11-29 um 10.44 schrieb Sylvain MEILARD:
>>>
>>>
>>>>Hello,
>>>>
>>>>I'm trying to use bobs to backup 2 folders exported by nfs :
>>>>/home/cvsroot and
>>>>/home/bugs
>>>>
>>>>All works great for the first directory, but i can't see files  of th=
e
>>>>second
>>>>directory with the web interface. I suspect the problem is related to=
 the
>>>>files'rights :
>>>>Files in /home/bugs have the following rights :
>>>>[root@machine-cvs root]# ll /home/bugs
>>>>total 21000
>>>>-rw-r-----    1 mysql    mysql        8868 jui  4  2003 attachments.f=
rm
>>>>-rw-r-----    1 mysql    mysql    20388072 sep 27 11:09 attachments.M=
YD
>>>>-rw-r-----    1 mysql    mysql       10240 sep 27 11:09 attachments.M=
YI
>>>>....
>>>>
>>>>The backup seem's to be ok :
>>>>sylvain@pasteque bobs $ ll /var/bobsdata/current/machine-cvs/bugzilla
>>>>total 21000
>>>>-rw-r-----  1 76 76     8868 jui  4  2003 attachments.frm
>>>>-rw-r-----  1 76 76 20388072 sep 27 11:09 attachments.MYD
>>>>-rw-r-----  1 76 76    10240 sep 27 11:09 attachments.MYI
>>>>...
>>>>
>>>>machine-cvs contains directory i want to backup
>>>>pasteque is the machine on which bobs is installed.
>>>>
>>>>Do the backuped files and dir have to be readable by apache to appear=
 in
>>>> the
>>>>web interface ?
>>>>
>>>>
>>>Yes, backups should be readable by bobs, else you will not be able to
>>>view it by bobs, I assume.
>>>
>>>
>>
>>OK, that's what i was thinking, but the files which are backed up don't=
 have
>>the right of reading for others. I'm not sure it's a good idea to chang=
e the
>>rights on thoses files. I was hopping there is a way to use cmdloop to
>> perform
>>operations for which apache's rights are not enought. am i wrong ? (yes=
 i'm
>>affraid...)
>>
>>thanks !
>>
>>sylvain
>>
>>
>>
> But you can still use konqueror to manage the files. You can even split
> the screen with sftp:// or an nfs mount on one side if you want to
> restore files. It's just the restore interface that's innoperative. Any
> ideas on how to fix that without breaking security too badly?

I think i won't be easy... Apache should have reading right on backuped f=
iles.
So cmdloop should additionaly back up uids'owners of files, and then make
apache the owner. When restoring files, cmdloop would have to change agai=
n the
owner of backed up files to be restored, and then restore them (and then
remake apache own the files). The problem is that it would be hard to avo=
id a
bad user to restore files on which he has no right...
For now, what append if a user try to restore files on which he has no ri=
ght ?
cmdloop does a "su user -" before rsyncing ? It implies that uid have to =
be
synchronized between the bobs'machine and machines to be backed up, isn't=
 it ?


Sylvain

>
> Joe
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users=
.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Bobs-devel mailing list
> Bob...@li...
> https://lists.sourceforge.net/lists/listinfo/bobs-devel
>
>

Re: [Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Joe Z. <jz...@co...>]

Sylvain MEILARD wrote:

>I think i won't be easy... Apache should have reading right on backuped files.
>  
>
Or something in the web interface needs elevated privileges, like a 
setuid program that is limited to only extracting the directory listing.

>So cmdloop should additionaly back up uids'owners of files, and then make
>apache the owner. When restoring files, cmdloop would have to change again the
>owner of backed up files to be restored, and then restore them (and then
>remake apache own the files). The problem is that it would be hard to avoid a
>bad user to restore files on which he has no right...
>  
>
No. rsync will keep the numeric uid on the file. cmdloop runs as root so 
it won't have a permission problem restoring. When you select something 
to restore, cmdloop processes the request.

>For now, what append if a user try to restore files on which he has no right ?
>  
>
If he can select the file to restore in the bobs interface, cmdloop will 
restore it.

>cmdloop does a "su user -" before rsyncing ? It implies that uid have to be
>synchronized between the bobs'machine and machines to be backed up, isn't it ?
>
>  
>
No. rsync retains the original uid. Here's a directory listing from one 
of my backups that contains users not on the bobs system:

drwx------   2 507 502 4096 Nov  7 15:47 bounce
drwx------  25 507 502 4096 Oct 17 17:51 info
drwx------   2 505 502 4096 Dec  5 05:20 intd
drwx------  25 507 502 4096 Oct 17 17:51 local
drwxr-x---   2 505 502 4096 Oct 17 17:51 lock
drwxr-x---  25 505 502 4096 Oct 17 17:51 mess
drwx------   2 505 502 4096 Dec  5 05:20 pid
drwx------  25 507 502 4096 Oct 17 17:51 remote
drwxr-x---   2 505 502 4096 Dec  5 05:20 todo

The only problem is not being able to view/select files to restore 
through the bobs web interface if the directory is not publicly 
readable. The restore itself is fine.

Joe

Re: [Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Sylvain M. <sy...@me...>]

> Sylvain MEILARD wrote:
>
>>I think i won't be easy... Apache should have reading right on backuped
>> files.
>>
>>
> Or something in the web interface needs elevated privileges, like a
> setuid program that is limited to only extracting the directory listing=
.
>
Yes, it could be a better solution. this program could be owned by
root:apache, with execution right for the group, and no right for others.
Apache should only use it to read directory used for backup. It would be =
very
simple and fast to write it in C. If you lack time, i'm ready to do it. I=
t
would simply consist in using opendir(), readdir(), stat() ? and closedir=
().
[...]
>>For now, what append if a user try to restore files on which he has no =
right
>> ?
>>
>>
> If he can select the file to restore in the bobs interface, cmdloop wil=
l
> restore it.
>
But the user can see all files and dirs on which apache has reading right=
,
even if the user himself has no right on it, isn'it ? And he also could
restore it, still with no right ?

regards,

sylvain

[...]

Re: [Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Joe Z. <joe...@za...>]

Sylvain MEILARD wrote:

>>Sylvain MEILARD wrote:
>>
>>    
>>
>>>I think i won't be easy... Apache should have reading right on backuped
>>>files.
>>>
>>>
>>>      
>>>
>>Or something in the web interface needs elevated privileges, like a
>>setuid program that is limited to only extracting the directory listing.
>>
>>    
>>
>Yes, it could be a better solution. this program could be owned by
>root:apache, with execution right for the group, and no right for others.
>Apache should only use it to read directory used for backup. It would be very
>simple and fast to write it in C. If you lack time, i'm ready to do it. It
>would simply consist in using opendir(), readdir(), stat() ? and closedir().
>[...]
>  
>
You'll have to dig into the source code to see where to hook in the 
setuid program. I'm not very familiar with the web interface portion.

>>>For now, what append if a user try to restore files on which he has no right
>>>?
>>>
>>>
>>>      
>>>
>>If he can select the file to restore in the bobs interface, cmdloop will
>>restore it.
>>
>>    
>>
>But the user can see all files and dirs on which apache has reading right,
>even if the user himself has no right on it, isn'it ? And he also could
>restore it, still with no right ?
>
>  
>
Yes, that's right. The only thing the user needs is the password for the 
bobs interface.

Re: [Bobs-devel] backup over nfs ok, but files not visibles with the php web interface

[Sylvain M. <sy...@me...>]

>>>Sylvain MEILARD wrote:
>>>
>>>
>>>
>>>>I think i won't be easy... Apache should have reading right on backup=
ed
>>>>files.
>>>>
>>>Or something in the web interface needs elevated privileges, like a
>>>setuid program that is limited to only extracting the directory listin=
g.
>>>
>>Yes, it could be a better solution. this program could be owned by
>>root:apache, with execution right for the group, and no right for other=
s.
>>Apache should only use it to read directory used for backup. It would b=
e very
>>simple and fast to write it in C. If you lack time, i'm ready to do it.=
 It
>>would simply consist in using opendir(), readdir(), stat() ? and closed=
ir().
>>[...]
>>
>>
> You'll have to dig into the source code to see where to hook in the
> setuid program. I'm not very familiar with the web interface portion.

I will have a look at it today, and i'll tell you tomorrow

regards,

sylvain