From: Liang, Warren (Warren.Liang@sms-ito.com)
Date: Wed Jul 23 2003 - 11:17:32 EDT
Good Morning:
Thanks to Dr. Blinn and Peter Wolfe valuable information, the "operator" is
able to complete the backup.
I grant the setuid permission bit on file /sbin/vdump and changes operator
account's group id to match /sbin/vdump.
Thanks.
Dr. Blinn's response:
Generally speaking, the reason backup utilities like "vdump" are able to do
a "full" backup when run by the root user is that they inherit the root
user's ability to bypass file system access restrictions.
Your "oper" account lacks that capability.
In Tru64 UNIX (and it has ALWAYS been this way and will not change), a
script can be set "setuid root" but that doesn't make the script have
root privilege.
You could presumably create a small program that would be run setuid
that would in turn "exec" the script. That *might* do what you want.
Or it might not.
Peter Wolfe's response:
The files that you can't access are on different groups (e.g. auth, bin)
from those that the operator account is a member of. So you either have to:
1)Make sure operator is a member of the group for all the files
you need to back up
or
2) run backups as root.
One solution is to not change the operators groups and instead
use Division of Privileges (dop) to authorize the operator
account to run vdump as root. The operator would then do:
dop vump <switches>
when using vdump and it would run as root.
My original post:
> I am using "operator" account to do backup. The account configuration is:
> Primary group: oper
> Secondary group: backup, dba, operator, and system
>
> Backup script :
> -rwsr-xr-- 1 root backup 270 Jul 21 10:10 mytest
>
> # cat /usr/bin/mytest
> exec > /usr/users/operator/mytest.log 2>&1
> cd /sbin
> vdump -0 -u -v -f /dev/nrmt0h /
> vdump -0 -u -v -f /dev/rmt0h /
>
> Execute the script:
> # at -m now
> /usr/bin/mytest
> #...
> # cat mytest.log
> path : /
> dev/fset : /dev/re0a
> type : ufs
> vdump: Date of last level 0 dump: the start of the epoch
> vdump: Dumping directories
> vdump(bd): unable to open directory <./etc/auth>; [13] Permission denied
> vdump(bd): unable to open directory <./sbin/rc0.d>; [13] Permission denied
> vdump(bd): unable to open directory <./sbin/rc2.d>; [13] Permission denied
> vdump(bd): unable to open directory <./sbin/rc3.d>; [13] Permission denied
> vdump(bd): unable to open directory <./.dt/Desktop>; [13] Permission
denied
> vdump(bd): unable to open directory <./tcb/files>; [13] Permission denied
> vdump(bd): unable to open directory <./tcb/lib>; [13] Permission denied
> vdump(bd): unable to open directory <./.netscape-cache>; [13] Permission
> denied
> vdump(bd): unable to open directory <./.netscape>; [13] Permission denied
> vdump(bd): unable to open directory <./nsmail>; [13] Permission denied
> vdump: Dumping 94701390 bytes, 107 directories, 1644 files
> vdump: Dumping regular files
> bd ./
> bd ./etc/
> bd ./etc/nls/
> bd ./etc/nls/loc/
> bf ./etc/nls/loc/C, 2586
> ...
>
Thanks again and have a nice day,
> Warren
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:28 EDT