My own inclination would be to avoid ACLs and a special non-root account with fairly unrestricted access privileges.  Instead, I'd make the backup procedure into a fairly tightly constrained script that would be runnable under "sudo".  I think that would be less of a maintenance headache, and likely more secure with less possibilities for unforeseen information leakage.  When an account can read anything at all on a filesystem, there are often many ways of leveraging that into greater access privileges - e.g. access to ssh private keys.

On 04/05/2015 9:59 AM, Kevin McGregor wrote:
I suppose I could put a new ACL on every file/directory on the system. Presumably there's a way to just add it to the top level and have it propagate all the way down. But then again this is Solaris 11, which is exclusively ZFS, and there are *many* file systems. It would be hard to ensure every file system (and descendants) *always* gets the "backup" ACL added to it in a timely fashion.

That's why I was wondering if there was a "Backup Operator" type of group. I suspect there isn't such a thing. Likely my only option is the "backup ACL" approach, manually marking everything readable by the backup account I choose. I'm not especially concerned about performance or disk space. ;-)


On Mon, May 4, 2015 at 8:25 AM, Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2015-05-04 Kevin McGregor wrote:
> Is that possible/feasible? In Windows, there's a group called "Backup
> Operator" which does something like this. Is the only alternative in
> Solaris to make the account a member of the "root" group? I don't care
> about e.g. device files and the like. I just want the account to be
> able to back up regular ZFS user-type file systems.

That's a perennial UNIX question.  I'd like to know the answer too!

Personally, on Linux boxes where groups aren't used at all for user
files I want backed up (they are all just Samba shared as the owner), I
use samba settings to ensure all files are group "backup" or similar
and group readable.  Cheesy, but it works because I 100% control access
to those files via limited daemons.

If your situation isn't similar (i.e. you are using groups for something
meaningful, or want to backup whole-systems like including /etc) then
that is useless.

I'm sure there's an ACL solution, and I'm (pretty) sure Solaris has
ACL's.  However, something about making a zillion ACL's just to do
backups rubs me the wrong way.  Sure, if the ACL's are small enough
they'll just get stored in the inode (I think), but I'd sure hate to
waste a fs block just for an ACL if it didn't (if there already were
ACL's on the files, selinux, etc).

I hope some other members will give a more useful answer...

(It would be nice if there was a standard, automatic UNIX account called
root-ro!)

(Oh ya, and dump/restore should be able to bypass all inode user/group
restrictions, but use at your own risk.)
_______________________________________________
Roundtable mailing list
Roundtable@muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable



_______________________________________________
Roundtable mailing list
Roundtable@muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable


-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/
Dept. of Physiology and Pathophysiology, Faculty of Health Sciences,
Univ. of Manitoba  Winnipeg, MB  R3E 0J9  (Canada)