Date: Fri, 22 Feb 2008 11:14:56 -0800 From: Andrew Bradford <a-bb@gmx.net> To: Mel <fbsd.questions@rachie.is-a-geek.net> Cc: freebsd-questions@freebsd.org Subject: Re: Mounting FS read-only for specific user (or root) Message-ID: <47BF1F30.4020103@gmx.net> In-Reply-To: <200802212131.16581.fbsd.questions@rachie.is-a-geek.net> References: <47BCC9C6.9050501@gmx.net> <47BD3A0B.2030806@locolomo.org> <47BDD1D5.6060003@gmx.net> <200802212131.16581.fbsd.questions@rachie.is-a-geek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mel wrote: > On Thursday 21 February 2008 20:32:37 Andrew Bradford wrote: > >> Erik Norgaard escribió: >> >>> I assume the reasoning for this is you want to preserve permissions >>> and attributes on your backup, so you can't solve this simply by >>> setting permissions appropriately. >>> >> Yes, exactly. Users need to be able to see their own backups, and >> nobody else's. >> > > Isn't this what acl's are for? See setfacl(8). I haven't looked into it in > great detail but seems to me that if you make a subdir owned by the user for > each backup root for that user and set the acl to only be accessible by user, > it should work. > > After playing around with this for a bit, I took Erik's suggestion of mounting the backup directory rw in a root-specific area. I didn't think it would work, but my understanding of the permission structure in UNIX is flawed, and it does work :) The setup, for those interested, is as follows: disk2 mounted read-write in /root/.backup /root/.backup mounted using nullfs read-only in /backups drwx------ root wheel /root drwxr-xr-x root wheel /root/.backup drwxr-xr-x root wheel /backups This way, the permissions on /root prevents normal users from writing to the backup mount underneath it, even though they may own files and have write permissions on those files. The permissions of the mount point allow users to view the contents and restore files, but not write to it because the nullfs mount (/backups) is read-only. General users are unable to write to the read-write mount point (/root/.backup) because the permission of the parent directory (/root) is 700. This allows the backup process to write to the backup filesystem, yet still prevents normal users from writing to it. I think this setup could be improved as I'm simply relying on file permissions to keep the backup filesystem read-only for normal users. The problem is not having the ability to mount a filesystem read-write for a specific user -- regardless of the permissions of files on that filesystem. Thanks Erik and Mel for the help with this! Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47BF1F30.4020103>