[RndTbl] Solaris/UNIX root-like file access

Kevin McGregor kevin.a.mcgregor at gmail.com
Mon May 4 09:59:31 CDT 2015 

I suppose I could put a new ACL on every file/directory on the system.
Presumably there's a way to just add it to the top level and have it
propagate all the way down. But then again this is Solaris 11, which is
exclusively ZFS, and there are *many* file systems. It would be hard to
ensure every file system (and descendants) *always* gets the "backup" ACL
added to it in a timely fashion.

That's why I was wondering if there was a "Backup Operator" type of group.
I suspect there isn't such a thing. Likely my only option is the "backup
ACL" approach, manually marking everything readable by the backup account I
choose. I'm not especially concerned about performance or disk space. ;-)


On Mon, May 4, 2015 at 8:25 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:

> On 2015-05-04 Kevin McGregor wrote:
> > Is that possible/feasible? In Windows, there's a group called "Backup
> > Operator" which does something like this. Is the only alternative in
> > Solaris to make the account a member of the "root" group? I don't care
> > about e.g. device files and the like. I just want the account to be
> > able to back up regular ZFS user-type file systems.
>
> That's a perennial UNIX question.  I'd like to know the answer too!
>
> Personally, on Linux boxes where groups aren't used at all for user
> files I want backed up (they are all just Samba shared as the owner), I
> use samba settings to ensure all files are group "backup" or similar
> and group readable.  Cheesy, but it works because I 100% control access
> to those files via limited daemons.
>
> If your situation isn't similar (i.e. you are using groups for something
> meaningful, or want to backup whole-systems like including /etc) then
> that is useless.
>
> I'm sure there's an ACL solution, and I'm (pretty) sure Solaris has
> ACL's.  However, something about making a zillion ACL's just to do
> backups rubs me the wrong way.  Sure, if the ACL's are small enough
> they'll just get stored in the inode (I think), but I'd sure hate to
> waste a fs block just for an ACL if it didn't (if there already were
> ACL's on the files, selinux, etc).
>
> I hope some other members will give a more useful answer...
>
> (It would be nice if there was a standard, automatic UNIX account called
> root-ro!)
>
> (Oh ya, and dump/restore should be able to bypass all inode user/group
> restrictions, but use at your own risk.)
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20150504/ee996f34/attachment.html>

More information about the Roundtable mailing list