[rdiff-backup-users] "--restrict-read-only /" doesn't seem to work

rdiff-backup-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[rdiff-backup-users] "--restrict-read-only /" doesn't seem to work

From:	Bill Clarke
Subject:	[rdiff-backup-users] "--restrict-read-only /" doesn't seem to work
Date:	Fri, 13 Aug 2004 15:01:10 +1000
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7) Gecko/20040616 MultiZilla/1.6.4.0b Mnenhy/0.6.0.104

this occurs with the following versions: 0.12.7, 0.13.4, and the CVS
HEAD as of 20030813, 04:30 GMT 2004.

note: "--restrict /" also doesn't work.  but that's less useful (-:

this is on two Solaris 9 machines; rdiff-backup is run by python 2.3.4,
and is using the current head of the librsync CVS tree (required to
workaround a bug in librsync!).

i have the setup as recommended by
<http://arctic.org/%7Edean/rdiff-backup/unattended.html> for unattended
backups:
- my original server ("alcatraz") has the following in its
/.ssh/authorized_keys:
"""
command="/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/bin/rdiff-backup
--server --restrict-read-only
/",from="alto",no-port-forwarding,no-x11-forwarding,no-pty ssh-rsa [...]
address@hidden
"""
(where i changed command to different versions of rdiff-backup)

my understanding of the authorized_keys format is that the command given
is run irrespective of the command given over ssh.  so no schema is
required.

- the [...] is the public key of the alternate identity from the mirror
server ("alto", used to send to "alcatraz-backup", which redirects to
"alcatraz").

if i remove the "--restrict-read-only /" from the command in
authorized_keys, then backups from "alcatraz-backup" to alto work as
expected.

however, with "--restrict-read-only /" or "--restrict /" appended to
command the backup fails:

"""
# /usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/bin/rdiff-backup
alcatraz-backup::/etc /tmp/alcatraz-etc-backup
Traceback (most recent call last):
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/bin/rdiff-backup",
line 24, in ?
    rdiff_backup.Main.Main(sys.argv[1:])
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/Main.py",
line 267, in Main
    rps = map(SetConnections.cmdpair2rp, cmdpairs)
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/SetConnections.py",
line 75, in cmdpair2rp
    return rpath.RPath(conn, filename).normalize()
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/rpath.py",
line 667, in __init__
    else: self.setdata()
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/rpath.py",
line 692, in setdata
    if self.lstat(): self.conn.rpath.setdata_local(self)
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 445, in __call__
    return apply(self.connection.reval, (self.name,) + args)
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 367, in reval
    if isinstance(result, Exception): raise result
rdiff_backup.Security.Violation:
Warning Security Violation!
Request to handle path /etc
which doesn't appear to be within restrict path /.

Traceback (most recent call last):
#   File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/bin/rdiff-backup",
line 24, in ?
    rdiff_backup.Main.Main(sys.argv[1:])
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/Main.py",
line 270, in Main
    take_action(rps)
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/Main.py",
line 238, in take_action
    connection.PipeConnection(sys.stdin, sys.stdout).Server()
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 352, in Server
    self.get_response(-1)
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 314, in get_response
    try: req_num, object = self._get()
  File
"/usr/local/stow/rdiff-backup-0.13.4+cvs-20040813/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 230, in _get
    raise ConnectionReadError("Truncated header string (problem "
rdiff_backup.connection.ConnectionReadError: Truncated header string
(problem probably originated remotely)
"""

note: i'm trying to just back up /etc for testing purposes.

if i change the command to "--restrict-read-only /etc", then not only
can i backup /etc, i can also backup (say) /etc/init.d separately.  so
it appears / is a special case that doesn't work.  it's not
(necessarily) the trailing "/" that's at fault either, since putting
"--restrict-read-only /etc/" works too.

cheers,
/lib

[Prev in Thread]

Current Thread

[Next in Thread]

[rdiff-backup-users] "--restrict-read-only /" doesn't seem to work, Bill Clarke <=

Prev by Date: [rdiff-backup-users] Assertion error on restore
Next by Date: [rdiff-backup-users] rdiff-backup --exclude-other-filesystems != rsync --one-file-system
Previous by thread: [rdiff-backup-users] Assertion error on restore
Next by thread: [rdiff-backup-users] rdiff-backup --exclude-other-filesystems != rsync --one-file-system
Index(es):
- Date
- Thread