Weblog entry #22 for dkg

See all weblog entries made by dkg.

XML logo

#22
using debian system-created user accounts?
Posted by dkg on Fri 14 Sep 2007 at 21:47
Tags: ,
Does anyone use the backup user for doing local system backups? or do you create a new user specifically for that?

I ask because backup is debian-specific uid 34, provided by the base-passwd package. But reading /usr/share/doc/base-passwd/users-and-groups.txt.gz, i find only this:

backup

    Presumably so backup/restore responsibilities can be locally delegated to
    someone without full root permissions?

    HELP: Is that right? Amanda reportedly uses this, details?
So fellow admins: do you use debian-allocated accounts (i.e., with uid < 100) (other than root) for any local (non-distro) purpose? If so, when do you do so? if not, why not?
[ 3 Comments | Add Comment | XML logo ]
<<< Previous Next >>>

 

Comments on this Entry

#1
Re: using debian system-created user accounts?
Posted by mwr (24.158.xx.xx) on Sat 15 Sep 2007 at 20:43
[ Send Message | View Weblogs ]
Yes, I use Amanda, and it does default to using the 'backup' account on Debian. On regular Debian installations, permissions on the relevant devices are already set: 
# id -a backup
uid=34(backup) gid=34(backup) groups=34(backup),6(disk),26(tape)
# ls -al /dev/hda?
brw-rw----  1 root disk 3, 1 Mar 14  2002 /dev/hda1
brw-rw----  1 root disk 3, 2 Mar 14  2002 /dev/hda2
brw-rw----  1 root disk 3, 3 Mar 14  2002 /dev/hda3
brw-rw----  1 root disk 3, 4 Mar 14  2002 /dev/hda4
brw-rw----  1 root disk 3, 5 Mar 14  2002 /dev/hda5
brw-rw----  1 root disk 3, 6 Mar 14  2002 /dev/hda6
brw-rw----  1 root disk 3, 7 Mar 14  2002 /dev/hda7
brw-rw----  1 root disk 3, 8 Mar 14  2002 /dev/hda8
brw-rw----  1 root disk 3, 9 Mar 14  2002 /dev/hda9
# ls -al /dev/st?
crw-rw----  1 root tape 9, 0 Mar 14  2002 /dev/st0
crw-rw----  1 root tape 9, 1 Mar 14  2002 /dev/st1
# ls -al /dev/nst?
crw-rw----  1 root tape 9, 128 Mar 14  2002 /dev/nst0
crw-rw----  1 root tape 9, 129 Mar 14  2002 /dev/nst1
So why wouldn't I want to use the backup account for this?

[ Parent | Reply to this comment ]

#2
Re: using debian system-created user accounts?
Posted by dkg (166.84.xx.xx) on Sun 16 Sep 2007 at 22:29
[ Send Message | View dkg's Scratchpad | View Weblogs ]
Interesting. on my local system that user isn't part of those groups at all: 
[0 dkg@squeak ~]$ id -a backup
uid=34(backup) gid=34(backup) groups=34(backup)
[0 dkg@squeak ~]$
But to answer your question with another question, why would you want your backup user to have write access to the main block devices you're backing up from? Write access to /dev/hda1 seems like too much power for a backup user to me.

[ Parent | Reply to this comment ]

#3
Re: using debian system-created user accounts?
Posted by mwr (24.158.xx.xx) on Mon 17 Sep 2007 at 14:36
[ Send Message | View Weblogs ]
Beats me. I'd guess "tradition", but that's entirely a guess. I suppose that if all the following conditions were met, giving backup rw permission to block devices would be required:
  1. You use dump/restore to back up devices instead of tar or some higher-level tool
  2. You want a non-root user to be able to restore a given block device
I'd guess that's not a terribly common case any more, but the security of the backup account should be pretty high by default. It can only be su'ed to, and has no processes listening until you run Amanda or something similar. Newer versions of Amanda can also stick in some relatively heavy public-key authentication, I assume to prevent people from impersonating your backup server or clients.

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search