[CentOS-devel] BackupPC
Les Mikesell
lesmikesell at gmail.com
Wed Feb 14 16:12:14 UTC 2007
Johnny Hughes wrote:
> The only reason the current version is still in testing and not
> production is that it requires running apache (httpd) as the backuppc
> user (due to the performance issues if not using mod_perl).
Pesonally I'd recommend shipping it with a dependency on perl-suidperl
and use the suid bit on the cgi program to permit access instead of
using mod_perl. It's not even necessary to use the web interface and it
it runs at a usable speed even as a standard cgi.
> People who are running BackupPC on a separate server where backups are
> it's major function will appreciate that. Some users want (or expect)
> it to run as the apache user, which it will not.
Actually it could run as the apache user as easily as anything else if
you go that route. The only place you have a problem is where you have
other web services that might not be as secure and users that need
access to apache-owned files that shouldn't access all the backups. An
alternative would be to make a 2nd instance of httpd using mod_perl that
runs on a different port.
> That can cause issues ... therefore I have kept it in testing. (Though
> it works great for me in production, with the mod_perl setup).
>
> There is a version in Fedora Extras that takes the non mod_perl approach
> and runs as the apache user.
>
> I will upgrade this to the new version soon.
I think it is more important to have backups working than to save a
fraction of a second per page when you browse through them, but I'd use
the suid approach if it isn't on mod_perl. One feature that would be
nice, and is currently not included would be to have mod_auth_pam in the
httpd package. Backuppc permits authenticated http access and can
restrict non-admin users to backups of machines that they 'own' as
specified in backuppc's host file. However, without mod_auth_pam it is
not easy to match up http authentication with the users/passwords the
rest of the system knows (potentially including several schemes). It
isn't that hard to add, but does anyone know why it isn't included in a
system that otherwise revolves around PAM?
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS-devel
mailing list