backup user

I am thinking about backup solution. In my opinion, the best are bacula, amanda and backuppc. Bacula is too complicated now. Amanda is very good, very secure and it has advanced backup scheduling (auto set when full and when incremental) but it is rather for tapes backup (there are even vtapes for disk backup) and there is no dedyplication.
BackupPC is not so secure but I can use ssh to transfer data (only Linux systems backup) and encrypt disks. But the main goal is deduplication. I want to have backups in some disk matrix, so deduplication is very important.
<<— if you have any suggestions to my choice, fill free to write your opinions :slight_smile:

But now I have main question of that topic:

What user should I use in client devices to backup data? The easiest way is to use root, but it is very unsecure i think :confused: What do you think about that?

On 11/21/2011 08:16 PM, rysic wrote:
> What user should I use in client devices to backup data?

use the least powerful user who has both the right to read all the files
you want to back up and write to the medium/partition you wish to
write to (and, it should be able to read the newly written–to check it
was right written)…

What do you think about that?


DD

So I have to use extended ACLs? Isn’t it slowing Linux?

On Mon, 21 Nov 2011 21:16:03 +0000, rysic wrote:

> So I have to use extended ACLs? Isn’t it slowing Linux?

No, that’s not what he’s saying. As with any administrative task, it’s
generally considered good practice to use an account with the minimum
privileges necessary to get the job done.

If you just want to back up the files in your home directory, it doesn’t
make sense to use the root account to do that.

That’s what the point is.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2011-11-22 01:13, Jim Henderson wrote:
> If you just want to back up the files in your home directory, it doesn’t
> make sense to use the root account to do that.
>
> That’s what the point is.

Actually, backups have to be done by root in Linux, because nobody can copy
/home keeping all the permissions and ownerships. Even if a plain user can
read the files, they will be copied with the owner changed to him, not the
original owner.

A user can backup his home, but not others.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On Tue, 22 Nov 2011 01:38:06 +0000, Carlos E. R. wrote:

> On 2011-11-22 01:13, Jim Henderson wrote:
>> If you just want to back up the files in your home directory, it
>> doesn’t make sense to use the root account to do that.
>>
>> That’s what the point is.
>
> Actually, backups have to be done by root in Linux, because nobody can
> copy /home keeping all the permissions and ownerships. Even if a plain
> user can read the files, they will be copied with the owner changed to
> him, not the original owner.
>
> A user can backup his home, but not others.

Which was my point - if the user wants to back up their own home, their
own ID is sufficient.

If they want to do more than that, then an account with more privileges
is necessary.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2011-11-22 02:44, Jim Henderson wrote:
> If they want to do more than that, then an account with more privileges
> is necessary.

But Linux doesn’t have that granularity. No user except root can write
backup files with the correct ownership.

(I’m unsure about tars?)

I hate to say this, but Windows does have more flexibility here. There is a
set of permissions predefined for the backup user precisely. I find Windows
administration complex, all that clicking here and there a thousand times,
instead of filling a text file. But they do have that flexibility, that
granularity of permissions.

Unless I’m mistaken and it can be done with ACLs?


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On Tue, 22 Nov 2011 02:28:06 +0000, Carlos E. R. wrote:

> On 2011-11-22 02:44, Jim Henderson wrote:
>> If they want to do more than that, then an account with more privileges
>> is necessary.
>
> But Linux doesn’t have that granularity. No user except root can write
> backup files with the correct ownership.

Depends on what the goal is for the OP. If he just wants the data, other
users would be sufficient.

> (I’m unsure about tars?)
>
> I hate to say this, but Windows does have more flexibility here. There
> is a set of permissions predefined for the backup user precisely. I find
> Windows administration complex, all that clicking here and there a
> thousand times, instead of filling a text file. But they do have that
> flexibility, that granularity of permissions.
>
> Unless I’m mistaken and it can be done with ACLs?

I believe it can be done, but I’ve only ever used root to do backups
myself, or (more often) used a tool like partimage to back up the
partition the files are on.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 11/21/2011 10:16 PM, rysic wrote:
> So I have to use extended ACLs?

sorry, i have absolutely no idea what an “extended ACL” is…care to
eleborate?


DD

Am 22.11.2011 03:28, schrieb Carlos E. R.:
> (I’m unsure about tars?)
With tar it should be possible as a normal user (-p switch) but I cannot
test that right now.
You will of course need root rights when you restore from the tar to
restore the owner.


PC: oS 11.4 (dual boot 12.1) 64 bit | Intel Core i7-2600@3.40GHz | KDE
4.6.0 | GeForce GT 420 | 16GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.7.3 |
nVidia ION | 3GB Ram

What exactly do you want to backup and how much? If it is all in /home/user and will fit on a DVD, just copy to a DVD. A user can do that.

On 2011-11-22 12:26, john hudson wrote:
>
> What exactly do you want to backup and how much? If it is all in
> /home/user and will fit on a DVD, just copy to a DVD. A user can do
> that.

His home, yes. Other homes, not.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2011-11-22 11:03, DenverD wrote:
> On 11/21/2011 10:16 PM, rysic wrote:
>> So I have to use extended ACLs?
>
> sorry, i have absolutely no idea what an “extended ACL” is…care to
> eleborate?
>


apropos acl


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 11/22/2011 02:33 PM, Carlos E. R. wrote:
>


> apropos acl
> 

that works nice, but


apropos 'extended acl'
apropos "extended acl"
apropos extended acl

do not…


apropos extended | grep acl

turns up something about NTFS (i know very little about that also)

so i go to google to try to learn about “extended ALC” and see it is too
confusing for my needs…

apparently the OP (questioner) has need to backup across a
network…something i’ve not had to do… (yeah!)


DD

About extended ACLs:

For me, normal ACLs are in example:


-rwx------

and extended ACLs are:


getfacl --omit-header dir
user::rwx
user:joe:rwx
group::r-x
mask::rwx
other::---

But it is slowing down system: POSIX Access Control Lists on Linux

I need backup for servers, so I’m thinking often about backup whole files in Linux (is is sometimes good for security to have previous versions of files when you discover attack to find way of attack).
I chose BackupPC and to secure transfer I want to use ssh. But to do backup I need to login as a root as you wrote - via SSH. To do that I can create some SSH keys for backup server but it is very unsecure to have in one server (backup server) SSH keys to login into all servers as a root!!! :expressionless:

@robin_listas, it is sad but yes you are rught… In that case M$ is better. Tere is SYSTEM user and Windows is marking backed up files.

On 2011-11-22 16:35, DenverD wrote:
> On 11/22/2011 02:33 PM, Carlos E. R. wrote:

> that works nice, but

Yes, I know. ‘Apropos’ is not that clever.

I still do not know how ACLs work.

> so i go to google to try to learn about “extended ALC” and see it is too
> confusing for my needs…

I’m not surprised. Wikipedia perhaps. I don’t remember if the suse ref book
has some on it, I think it does. In that case, it should be far easier to read.

> apparently the OP (questioner) has need to backup across a
> network…something i’ve not had to do… (yeah!)

Amanda, perhaps, IIRC.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Am 22.11.2011 23:28, schrieb Carlos E. R.:
> I’m not surprised. Wikipedia perhaps. I don’t remember if the suse ref book
openSUSE Security Guide Chapter 10
/usr/share/doc/manual/opensuse-manuals_en/manual/cha.security.acls.html
should be installed by default


PC: oS 11.4 (dual boot 12.1) 64 bit | Intel Core i7-2600@3.40GHz | KDE
4.6.0 | GeForce GT 420 | 16GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.7.3 |
nVidia ION | 3GB Ram

On 2011-11-22 23:38, Martin Helm wrote:
> openSUSE Security Guide Chapter 10

Ah, there. :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)