There seems to be much demand for BackupPC so I've created an ebuild! Security seems to be something of an issue though. This ebuild configures BackupPC to run as the apache user. This isn't the safest option but it isn't the most dangerous option either and it is much easier to configure. Good system admins can make whatever adjustments they see fit. This thread has more details. http://forums.gentoo.org/viewtopic.php?p=2057278
Created attachment 50404 [details] backuppc-2.1.0_p1.ebuild
Created attachment 50405 [details, diff] init-script.patch
I'm definitely interested of this one. :)
Thanks for this!
Hi James, some small questions on your ebuild: - is it possible to use ${PV} instead of $MAJ and $MIN (or perhaps generate them from ${PV}?) - do you have to create the apache user? I think assuming the apache user lives in /home/httpd is not correct. What is uid 81 is already in use? /bin/false is not portable, better use -1. Why not use a separate backuppc user? Your enewuser could look like: enewgroup backuppc enewuser backuppc -1 -1 /var/lib/backuppc backuppc - Why do you apply a patch on an init-script from the ebuild? Could you clarify some of my questions please? Thanks for your efforts!
I'm on holiday right now so I can't really deal with this immediately but I will answer your questions. Since writing this, I have discovered the versionator eclass so yes, I should be able to work out the filename from ${PV}. If you read the forum topic that I posted a link to then you will see why I am using the apache account instead of a backuppc account. Using a backuppc account would require an entirely separate instance of Apache on a separate port - not much fun even for an experienced sys admin. Automating the configuration for that kind of setup would be practically impossible. The user always has the option of creating a backuppc user themselves if they wish. The way this ebuild creates the apache user is exactly the same was the way the Apache ebuild does it itself, except the home folder has since changed to /var/www. I considered the Apache ebuild to be a good example of how to do things right. If I remember correctly, an alternative UID is automatically chosen if the specified one is already in use anyway. The init script doesn't come from the ebuild. The tarball contains a bunch of init scripts for various distributions but the Gentoo one is written very badly. Ideally a correct init script would be sent upstream. I only recently became aware of the Gentoo belief that all changes should be made upstream when possible. I've also just noticed that version 2.1.1 came out in March so this ebuild needs a version bump.
(In reply to comment #6) > I've also just noticed that version 2.1.1 came out in March so this ebuild needs > a version bump. I've been using version 2.1.1 for several months now and all that version bump needed was that I renamed the ebuild file to be backuppc-2.1.1.ebuild. :) At least I can't remember any major issues. So thank you very much! :)
ah... so, if this ebuild depends somehow on apache being installed, I'd suggest the ebuild to depend on an installation of apache, so apache itself can deal with creating a user somehow. As far as I understand now, your ebuild is useless without apache being installed. If not, I'd suggest to use an apache(2) useflag to only add the apache functionality if the user wants it. I'll wait for the version bump, thanks for your feedback.
Yeah that sounds like a good idea. Not sure why I didn't do that before actually. I don't think it absolutely needs Apache (I've not actually used this - wrote the ebuild for a friend) but I doubt many people would use it without. It also occurred to me that this needs to be tied in with webapp-config. I spoke to Stuart Herbert and he said "If it puts anything in /var/www" then it needs to work with webapp-config. I'll give him a shout when I'm back from holiday.
I don't know much about the webapp thing, but it was the next thing I was going to mention, so its good you already know about it. I think it can work well with it.
I just take ebuild posted here some times ago and makes some improvements: - it`s bumped to version 2.1.1 - ebuild now uses webapp-config - there are two USE flag: - apache: add cgi interface which is handle by webapp-config (without this flag ebuild don't even copy cgi interface files so we have pure backuppc which is much safer) - nosuidcgi: there is now two conception on that how backuppc works - without nosuidcgi it is running as a backuppc user, with nosuidcgi - backuppc works as an apache user as it was in previous ebuild - i made apache authorization on cgi interface (see the postinstall info) Files: - backuppc-2.1.1.ebuild - hook and hook_suid - two webapp files which set privileges to cgi script depend on use flag - init-script Known problems: - backuppc has problem with status.pl file, when backuppc is restarted via init.d script it wont start if status.pl file exist. I make temporally solution by deleting this file (inside init.d script) in every application start. This problem is known, but i cant find solution for this yet. It`s propably perl version related problem. Please test this ebuild, comment it, propose or create improvements,so i hope that ebuild for this great app will be placed in portage some day...
Created attachment 67729 [details] backuppc-2.1.1.ebuild
Created attachment 67730 [details] hook
Created attachment 67731 [details] hook_suid
Created attachment 67732 [details] init-script
Created attachment 67733 [details] backuppc_apache_module
Thanks very much! I haven't had time to get back to this and to be honest, I only have a vague knowledge of Perl and webapp-config so I wasn't really the ideal person to be working on this.
I attempted to emerge with this new ebuild. After some clean-up and some added USE flags (apache, perlsuid). I finally got it started. Although, I previously had apache2 as a USE flag, so it was installed with that. It appears the build is not getting a config directory as I get this: "There is no apache module confdir" But I have had apache install for quite some time now. Where is the build getting the variable from in the first place?
(In reply to comment #18) > I attempted to emerge with this new ebuild. After some clean-up and some added > USE flags (apache, perlsuid). I finally got it started. Although, I previously > had apache2 as a USE flag, so it was installed with that. It appears the build > is not getting a config directory as I get this: "There is no apache module > confdir" But I have had apache install for quite some time now. Where is the > build getting the variable from in the first place? I discovered my depend.apache eclass is wrong. My modules.d directory is at /etc/apache2/conf/modules.d/ not /etc/apache2/modules.d
this path problem may be related to running an unstable version of apache2.
BK: Could you please tell which version of apache you have emerged? > After some clean-up and some added USE flags... Could you also attach corrected ebuild? Thanks for testing.
By clean-up I meant I uninstalled the old version of backuppc. I am running version 2.0.54-r9 of apache. It is the current stable 2.0 in portage. To get backuppc to install I did not change the ebuild. I edited the depend.apache eclass file to reflect the correct location for my config files.
Created attachment 68689 [details] backuppc-2.1.2.ebuild I run through the whole ebuild and made some changes. I upgraded to version 2.1.2 as that seems to be stable at the moment. I am missing a conf.d file, I think, I only see the init.d file. And I don't really know what the hook files are for.
hi chewi, I was about to check in my own version (which you can kinda see at http://dev.gentoo.org/~seemant) when I decided to search bugzilla. I see you've done this stuff a long time before I started my own work on it. Anyway, I've checked in my ebuild at the moment -- but I think you and I should probably get together and discuss how best to mesh our ebuilds together -- distilling the best aspects of each. Any chance you give the one I've checked in a run and come to talk to me on IRC? Thanks! Seemant
So I basically apply debian's patchset to this and then I added patches for the docdir location and the init.d and conf.d files. I'd prefer not messing with suid things if at all possible. I've just checked in app-backup/backuppc-2.1.2 Please test and give it a run. thanks!
I'd love to help but as I said, I've not really used BackupPC before (made this for a friend) and I'm not familiar with webapp-config at all. Fabian's version of the ebuild is probably the best one to work from.
I have been using BackupPC that I installed from the original 2.1.0 ebuild here (just bumped the version to 2.1.1). BackupPC runs for me as user apache. I have created a home and given apache a shell so that I could generate ssh keys for backup of Linux boxes. I realize this is a security risk. I have been looking at the new ebuild, which I will try soon on another box. I have a couple of questions though. The 2.1.2 ebuild has BackupPC running as the user backuppc, with no shell or home. How is the issue of ssh keys for backup of Linux boxes dealt with? The backuppc user would need to generate keys, no?