Bug 80818 - [EBUILD] new package: BackupPC
|
Bug#:
80818
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: enhancement
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: seemant@gentoo.org
|
Reported By: chewi@aura-online.co.uk
|
|
Component: Ebuilds
|
|
|
URL:
http://backuppc.sourceforge.net
|
|
Summary: [EBUILD] new package: BackupPC
|
|
Keywords: EBUILD
|
|
Status Whiteboard:
|
|
Opened: 2005-02-04 19:47 0000
|
There seems to be much demand for BackupPC so I've created an ebuild! Security
seems to be something of an issue though. This ebuild configures BackupPC to
run as the apache user. This isn't the safest option but it isn't the most
dangerous option either and it is much easier to configure. Good system admins
can make whatever adjustments they see fit. This thread has more details.
http://forums.gentoo.org/viewtopic.php?p=2057278
I'm definitely interested of this one. :)
Hi James,
some small questions on your ebuild:
- is it possible to use ${PV} instead of $MAJ and $MIN (or perhaps generate them
from ${PV}?)
- do you have to create the apache user? I think assuming the apache user lives
in /home/httpd is not correct. What is uid 81 is already in use? /bin/false is
not portable, better use -1. Why not use a separate backuppc user? Your
enewuser could look like:
enewgroup backuppc
enewuser backuppc -1 -1 /var/lib/backuppc backuppc
- Why do you apply a patch on an init-script from the ebuild?
Could you clarify some of my questions please? Thanks for your efforts!
I'm on holiday right now so I can't really deal with this immediately but I
will
answer your questions. Since writing this, I have discovered the versionator
eclass so yes, I should be able to work out the filename from ${PV}.
If you read the forum topic that I posted a link to then you will see why I am
using the apache account instead of a backuppc account. Using a backuppc
account
would require an entirely separate instance of Apache on a separate port - not
much fun even for an experienced sys admin. Automating the configuration for
that kind of setup would be practically impossible. The user always has the
option of creating a backuppc user themselves if they wish. The way this ebuild
creates the apache user is exactly the same was the way the Apache ebuild does
it itself, except the home folder has since changed to /var/www. I considered
the Apache ebuild to be a good example of how to do things right. If I remember
correctly, an alternative UID is automatically chosen if the specified one is
already in use anyway.
The init script doesn't come from the ebuild. The tarball contains a bunch of
init scripts for various distributions but the Gentoo one is written very
badly.
Ideally a correct init script would be sent upstream. I only recently became
aware of the Gentoo belief that all changes should be made upstream when
possible.
I've also just noticed that version 2.1.1 came out in March so this ebuild
needs
a version bump.
(In reply to comment #6)
> I've also just noticed that version 2.1.1 came out in March so this ebuild needs
> a version bump.
I've been using version 2.1.1 for several months now and all that version bump
needed was that I renamed the ebuild file to be backuppc-2.1.1.ebuild. :) At
least I can't remember any major issues.
So thank you very much! :)
ah... so, if this ebuild depends somehow on apache being installed, I'd suggest
the ebuild to depend on an installation of apache, so apache itself can deal
with creating a user somehow. As far as I understand now, your ebuild is
useless without apache being installed. If not, I'd suggest to use an apache(2)
useflag to only add the apache functionality if the user wants it.
I'll wait for the version bump, thanks for your feedback.
Yeah that sounds like a good idea. Not sure why I didn't do that before
actually. I don't think it absolutely needs Apache (I've not actually used this
- wrote the ebuild for a friend) but I doubt many people would use it without.
It also occurred to me that this needs to be tied in with webapp-config. I spoke
to Stuart Herbert and he said "If it puts anything in /var/www" then it needs to
work with webapp-config. I'll give him a shout when I'm back from holiday.
I don't know much about the webapp thing, but it was the next thing I was going
to mention, so its good you already know about it. I think it can work well
with it.
I just take ebuild posted here some times ago and makes some improvements:
- it`s bumped to version 2.1.1
- ebuild now uses webapp-config
- there are two USE flag:
- apache: add cgi interface which is handle by webapp-config (without this
flag ebuild don't even copy cgi interface files so we have pure backuppc which
is much safer)
- nosuidcgi: there is now two conception on that how backuppc works - without
nosuidcgi it is running as a backuppc user, with nosuidcgi - backuppc works as
an apache user as it was in previous ebuild
- i made apache authorization on cgi interface (see the postinstall info)
Files:
- backuppc-2.1.1.ebuild
- hook and hook_suid - two webapp files which set privileges to cgi script
depend on use flag
- init-script
Known problems:
- backuppc has problem with status.pl file, when backuppc is restarted via
init.d script it wont start if status.pl file exist. I make temporally solution
by deleting this file (inside init.d script) in every application start. This
problem is known, but i cant find solution for this yet. It`s propably perl
version related problem.
Please test this ebuild, comment it, propose or create improvements,so i hope
that ebuild for this great app will be placed in portage some day...
Thanks very much! I haven't had time to get back to this and to be honest, I
only have a vague knowledge of Perl and webapp-config so I wasn't really the
ideal person to be working on this.
I attempted to emerge with this new ebuild. After some clean-up and some added
USE flags (apache, perlsuid). I finally got it started. Although, I previously
had apache2 as a USE flag, so it was installed with that. It appears the build
is not getting a config directory as I get this: "There is no apache module
confdir" But I have had apache install for quite some time now. Where is the
build getting the variable from in the first place?
(In reply to comment #18)
> I attempted to emerge with this new ebuild. After some clean-up and some added
> USE flags (apache, perlsuid). I finally got it started. Although, I previously
> had apache2 as a USE flag, so it was installed with that. It appears the build
> is not getting a config directory as I get this: "There is no apache module
> confdir" But I have had apache install for quite some time now. Where is the
> build getting the variable from in the first place?
I discovered my depend.apache eclass is wrong. My modules.d directory is at
/etc/apache2/conf/modules.d/ not /etc/apache2/modules.d
this path problem may be related to running an unstable version of apache2.
BK: Could you please tell which version of apache you have emerged?
> After some clean-up and some added USE flags...
Could you also attach corrected ebuild?
Thanks for testing.
By clean-up I meant I uninstalled the old version of backuppc.
I am running version 2.0.54-r9 of apache. It is the current stable 2.0 in portage.
To get backuppc to install I did not change the ebuild. I edited the
depend.apache eclass file to reflect the correct location for my config files.
Created an attachment (id=68689) [details]
backuppc-2.1.2.ebuild
I run through the whole ebuild and made some changes. I upgraded to version
2.1.2 as that seems to be stable at the moment.
I am missing a conf.d file, I think, I only see the init.d file. And I don't
really know what the hook files are for.
hi chewi, I was about to check in my own version (which you can kinda see at
http://dev.gentoo.org/~seemant) when I decided to search bugzilla. I see you've
done this stuff a long time before I started my own work on it. Anyway, I've
checked in my ebuild at the moment -- but I think you and I should probably get
together and discuss how best to mesh our ebuilds together -- distilling the
best aspects of each. Any chance you give the one I've checked in a run and
come to talk to me on IRC?
Thanks!
Seemant
So I basically apply debian's patchset to this and then I added patches for the
docdir location and the init.d and conf.d files. I'd prefer not messing with
suid things if at all possible. I've just checked in app-backup/backuppc-2.1.2
Please test and give it a run.
thanks!
I'd love to help but as I said, I've not really used BackupPC before (made this
for a friend) and I'm not familiar with webapp-config at all. Fabian's version
of the ebuild is probably the best one to work from.
I have been using BackupPC that I installed from the original 2.1.0 ebuild here
(just bumped the version to 2.1.1). BackupPC runs for me as user apache. I have
created a home and given apache a shell so that I could generate ssh keys for
backup of Linux boxes. I realize this is a security risk.
I have been looking at the new ebuild, which I will try soon on another box. I
have a couple of questions though. The 2.1.2 ebuild has BackupPC running as the
user backuppc, with no shell or home. How is the issue of ssh keys for backup of
Linux boxes dealt with? The backuppc user would need to generate keys, no?
