DO NOT REPLY [Bug 5448] Daemon parameter to prevent attribute
tweaking
samba-bugs at samba.org
samba-bugs at samba.org
Thu May 8 13:14:14 GMT 2008
https://bugzilla.samba.org/show_bug.cgi?id=5448
sites-samba at carlthompson.net changed:
What |Removed |Added
----------------------------------------------------------------------------
BugsThisDependsOn|4561 |
------- Comment #3 from sites-samba at carlthompson.net 2008-05-08 08:14 CST -------
(In reply to comment #2)
> (In reply to comment #0)
> ...
> > Not being able to completely eliminate modifying files in place
> > greatly and negatively affects a very common use of rsync: backup systems that
> > create incremental backup snapshots using hard links.
>
> I'm not sure it would be wise to change the default behavior to --no-tweak, but
> it would certainly be useful to add a daemon configuration parameter to force
> --no-tweak mode; I'll convert this bug to an enhancement request for such a
> parameter.
The reason why I think it's a good idea to change the default behavior is
because doing so would "fix" current backup solutions that are out there
without any modifications. I also think it is a much more sane default and
can't think of any cases where it would cause undesired results. (But of just
because I can't think of any doesn't mean they don't exist!)
> > The "--link-dest" option attempts to solve
> > the problem but adds serious problems of its own. Some of the problems I see
> > are:
> >
> > 1. The hard links and permission / owner / group change problem:
>
> Right; this would be solved by --no-tweak or a corresponding daemon parameter.
>
> > 2a. A big problem with "--link-dest" is that it requires that the client
> > machine be correctly configured to work.
>
> I have entered bug 5449 for the ability to specify a link-dest dir on a daemon
> in a way that is transparent to the client.
But of course these require changes to the use of the client and daemon and I
think it's a good idea to avoid that. It also is still vulnerable to the chroot
problem below.
> > 2b. Another big problem with "--link-dest" is that when used as documented and
> > intended there is only one copy of the previous backup and it cannot be
> > protected from the forked daemon by chroot! The daemon must have direct access
> > to the one and only good copy of your data so a bug, exploit or malicious
> > client can easily clobber it.
>
> If you want to keep only one copy of the previous backup, clearly there's no
> way the daemon can --link-dest from it unless it is inside the chroot; nothing
> can be done about this. Thus, if you are worried about bugs in the daemon, you
> will have to keep a second copy just for the daemon, as you mention.
Exactly. But if you are keeping a second copy there is no point in using
"--link-dest" because you are already doing a "cp -al" to make the copy.
> However, a bug-free daemon with the enhancements that we're discussing could be
> configured so it would not harm the previous backup no matter what the client
> does. Specifically: the daemon link-dest parameter I'm envisioning would let
> you locate the previous backup outside the module (but of course inside the
> chroot). With that arrangement and symlink munging, the client can't write to
> the previous backup directly, and with a no-tweak parameter, the client can't
> write via existing hard links in the module in the event that a backup is
> interrupted and restarted.
The client may not not be able to write to the previous backup but a buggy or
exploited forked daemon could. So I don't think this is a good a solution and
is more complex.
> ...
Thanks, Carl.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the rsync
mailing list