<div dir="ltr"><div><div><div><div><div>Hi John,<br><br></div>You need root_squash on AND an amanda user with a matching UID/GID<br></div> that owns the nfs share. That way amanda can read and write and root access is no needed. <br>
<br></div>It may be required to run idmapd to translate between nfs-server:amanda and <br>backup-system:amanda if the GIDs can't be made to match.<br><br></div>If the network uses LDAP, then just create the amanda user in LDAP and should just work with root_squash on.<br>
<br></div>The only headache is if at some point a low-level process that must run as root also needs to access the backup space. It just won't work unless you can copy files as amanda to another place as root. I got hit with this using bacula and a remote nfs share with root_squash on and a need to run low-level btape commands. it just wouldn't work. Root user was totally barred from accessing the space.<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Oct 1, 2013 at 5:38 PM, John Heim <span dir="ltr"><<a href="mailto:john@johnheim.net" target="_blank">john@johnheim.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
My department got some space on a file server at another department. I can access it via an NFS mount. BBut I guess the root_squash option is set for the share because all the files I create are owned by nobody:root and I can't change the ownership. I want to use this space for amanda virtual tapes. Amanda doesn't want to run as user root.<br>
<br>
So I'm thinking of asking the other department to turn off root_squash (set no_root_squash option for the share). But I don't want to look like a dope so I want to make sure I'm right about one thing ... It doesn't make my data any less secure, right? Here's my reasoning:<br>
<br>
I can create files only as nobody:root anyway. The share is restricted by IP to just one machine. But if somebody gets past that (by spoofing the IP address or whatever) and mounts the share, they'd have the same access as I do when I'm using the share legitimately. That is true regardless of whether the root_squash or no_root_squash option is set.<br>
<br>
If there were other users besides root creating files on the share it would be different. You don't want john getting access to mary's files by just becoming root on his own machine. John could plug his laptop into the network, su to root, mount mary's home directory, and read her files. The root_squash option prevents that but it doesn't apply in the case of a backup server, right? If somebody gets past the IP restriction, they'd ahve the same access regardless of whether whether root is squashed. (I think.)<br>
<br>
<br>
<br>
I think I'm going to have to figure out how to encrypt data written to a amanda virtual tape. But that's a question for the amanda list.<br>
<br>
______________________________<u></u>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/<u></u>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/<u></u>listinfo</a><br>
</blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div>
</div>