From owner-freebsd-security Mon Nov 26 6: 3: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id CC99737B416 for ; Mon, 26 Nov 2001 06:02:39 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id JAA18429; Mon, 26 Nov 2001 09:03:46 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id JAA18876; Mon, 26 Nov 2001 09:02:36 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Mon, 26 Nov 2001 09:02:36 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: Tom Beer Cc: security@FreeBSD.ORG Subject: Re: Amanda - inetd In-Reply-To: <001f01c1765c$3ccfba80$0901a8c0@system> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You'll find more folks with amanda experience on the amanda-users list than on freebsd-security. See www.amanda.org for info. The question you're asking resolves into 'I want to run a network service on this machine without using inetd.' The typical solution to this is to write a long-running daemon, a-la named or dhcpd, but amandad is not written that way. It expects to be called from inetd. The shell script outline someone else offered does not work because it fails to recognize the whole point of your question, that amandad wants to be started from inetd. What you're asking to do is probably possible to accomplish, though it seems excessively paranoid IMHO. If this is a firewall box you could run inetd with just the amandad entry and locked to only allow access from the amanda server. Ruling that out the easiest answer is to put a tape drive directly on this box and run its backups directly to local tape. If you really want to go the way you're asking about then you need to figure out how long the backup window is, and use a cron job to kill pppd and start inetd for the duration of your backup window, and then kill inetd and re-start pppd afterward. The actual duration of the backup run will vary from one day to the next depending on what else the amanda server is doing, and whether this machine is getting a level 0 or a higher level dump run. But you pretty much have to use inetd since the amanda server will contact the backup client several times for various functions over the course of a single day's backup run, even if you're only backing up a single filesystem. -Mitch On Mon, 26 Nov 2001, Tom Beer wrote: > Hi, > > I'm planning to install amanda (remote backup > solution) on a freebsd box as a client. Unfourtunately > amanda needs inetd, which I don't want to start > for security reasons. Even not tcpwarrped. > Is there a way to bring my ppp dialup connection > down, start inetd, start amanda, ending inetd after > the backup and starting my ppp connection > again? Or is there a better solution? > > Greets Tom > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message