backup Windows to Linux file permissions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

backup Windows to Linux file permissions

Patrik Dufresne
Hello,

I've setup rdiff-backup to backup a windows computer. The backup always complete successfully, but the files created on the Linux servers are set to 0777. Security wise, it's very bad since everyone able to connect to the Linux server can see by files. I'm looking for a simpleway to make rdiff-backup create the files with a different permissions (e.g.: 0700 or 0770)


I've running a command similare to:

rdiff-backup.exe -v 5 --no-hard-links --exclude-symbolic-links --no-acls --remote-schema "plink.exe -2 -batch -i key.ppk %s rdiff-backup --server" --exclude-globbing-filelist my-excludes --include-globbing-filelist my-includes --exclude "C:/**" C:/ [hidden email]::/home/ikus060/test-winxp-fr

 -----------------------------------------------------------------
 Detected abilities for source (read only) file system:
   Access control lists                         Off
   Extended attributes                          Off
   Windows access control lists                 Off
   Case sensitivity                             Off
   Escape DOS devices                           Off
   Escape trailing spaces                       Off
   Mac OS X style resource forks                Off
   Mac OS X Finder information                  Off
 -----------------------------------------------------------------
 POSIX ACLs test skipped. rdiff-backup run with --no-acls option.
 Windows ACLs test skipped. rdiff-backup run with --no-acls option.
 escape_dos_devices not required by filesystem at /home/ikus060/test-winxp-fr/rdiff-backup-data/rdiff-backup.tmp.0
 -----------------------------------------------------------------
 Detected abilities for destination (read/write) file system:
   Ownership changing                           Off
   Hard linking                                 On
   fsync() directories                          On
   Directory inc permissions                    On
   High-bit permissions                         On
   Symlink permissions                          Off
   Extended filenames                           On
   Windows reserved filenames                   Off
   Access control lists                         Off
   Extended attributes                          On
   Windows access control lists                 Off
   Case sensitivity                             On
   Escape DOS devices                           Off
   Escape trailing spaces                       Off
   Mac OS X style resource forks                Off
   Mac OS X Finder information                  Off
 -----------------------------------------------------------------

Thanks for your help.

--
Patrik Dufresne


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
https://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: backup Windows to Linux file permissions

Dominic Raferd-3
Hello Patrik

I think the simple solution is to backup to a directory to which only one linux user has access. For our windows backups each Windows client machine has a separate linux user account on the server and backs up to its home directory. All users' home directories have 0700 permission. So only that user (and the linux administrator uid 0) can gain access.

Dominic


I've setup rdiff-backup to backup a windows computer. The backup always complete successfully, but the files created on the Linux servers are set to 0777. Security wise, it's very bad since everyone able to connect to the Linux server can see by files. I'm looking for a simpleway to make rdiff-backup create the files with a different permissions (e.g.: 0700 or 0770)


I've running a command similare to:

rdiff-backup.exe -v 5 --no-hard-links --exclude-symbolic-links --no-acls --remote-schema "plink.exe -2 -batch -i key.ppk %s rdiff-backup --server" --exclude-globbing-filelist my-excludes --include-globbing-filelist my-includes --exclude "C:/**" C:/ [hidden email]

 -----------------------------------------------------------------
 Detected abilities for source (read only) file system:
   Access control lists                         Off
   Extended attributes                          Off
   Windows access control lists                 Off
   Case sensitivity                             Off
   Escape DOS devices                           Off
   Escape trailing spaces                       Off
   Mac OS X style resource forks                Off
   Mac OS X Finder information                  Off
 -----------------------------------------------------------------
 POSIX ACLs test skipped. rdiff-backup run with --no-acls option.
 Windows ACLs test skipped. rdiff-backup run with --no-acls option.
 escape_dos_devices not required by filesystem at /home/ikus060/test-winxp-fr/rdiff-backup-data/rdiff-backup.tmp.0
 -----------------------------------------------------------------
 Detected abilities for destination (read/write) file system:
   Ownership changing                           Off
   Hard linking                                 On
   fsync() directories                          On
   Directory inc permissions                    On
   High-bit permissions                         On
   Symlink permissions                          Off
   Extended filenames                           On
   Windows reserved filenames                   Off
   Access control lists                         Off
   Extended attributes                          On
   Windows access control lists                 Off
   Case sensitivity                             On
   Escape DOS devices                           Off
   Escape trailing spaces                       Off
   Mac OS X style resource forks                Off
   Mac OS X Finder information                  Off
 -----------------------------------------------------------------

Thanks for your help.

--
Patrik Dufresne



_______________________________________________
rdiff-backup-users mailing list at [hidden email]
https://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
https://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: backup Windows to Linux file permissions

Leland Best
In reply to this post by Patrik Dufresne
Hi All,

Since we're sort-of on this subject I'd like to ask a question/bring up
an issue I ran into a couple years ago which, obviously, has never been
resolved.

On Fri, 2015-08-21 at 14:30 -0400, Patrik Dufresne wrote:
> Hello,
>
>
> I've setup rdiff-backup to backup a windows computer. The backup
> always complete successfully, but the files created on the Linux
> servers are set to 0777. Security wise, it's very bad since everyone
> able to connect to the Linux server can see by files. I'm looking for
> a simpleway to make rdiff-backup create the files with a different
> permissions (e.g.: 0700 or 0770)
[...]

On a related note, have you ever restored one of these backups?  If so,
has it correctly restored the Windows permissions/ACLs?  I only ask
because when I've backed up and restored from/to Windows Vista and
Windows 7, the restored Windows permissions are wrong.  Digging into
'rdiff-backup's metadata files seemed to show the permissions were
stored correctly on the Linux box.  At least, they exactly matched the
output of some-windows-command-line-program whose name I have now
forgotten.  But on restore the results on the Windows box were very
strange.  IIRC, extra groups were given access, permissions that were
originally "inherited" were now not inherited, etc..  I've had this
problem with both Cygwin and native versions of 'rdiff-backup', with
both the 'stable' 1.2.8, and the 'unstable' 1.3.3 versions of
'rdiff-backup', and when backing up to both Linux and Windows machines.

The only way I've found of reliably backing up and restoring a Windows
box using 'rdiff-backup' is: Mirror the entire partition using e.g.
'ntfsclone', then use 'rdiff-backup' to back up the mirror file.  I've
restored Windows boxes from "bare metal" using such backups and they
work perfectly.  But wow is it unwieldy!

Anyway, apologies if this is too off topic but it does seem somewhat
related in that, for me anyway, 'rdiff-backup' and Windows do _not_ play
nicely together regarding permissions.

Cheers
Leland
--
-------------------------------------------------------------------------------
Leland C. Best      | Creationists make it sound as though a 'theory' is
[hidden email] | something you dreamt up after being drunk all night.
                    | -- Isaac Asimov
-------------------------------------------------------------------------------


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
https://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: backup Windows to Linux file permissions

Dominic Raferd-3
On 22/08/2015 02:45, Leland Best wrote:

> Hi All,
>
> Since we're sort-of on this subject I'd like to ask a question/bring up
> an issue I ran into a couple years ago which, obviously, has never been
> resolved.
>
> On Fri, 2015-08-21 at 14:30 -0400, Patrik Dufresne wrote:
>> I've setup rdiff-backup to backup a windows computer...
> On a related note, have you ever restored one of these backups?  If so,
> has it correctly restored the Windows permissions/ACLs?  I only ask
> because when I've backed up and restored from/to Windows Vista and
> Windows 7, the restored Windows permissions are wrong.  Digging into
> 'rdiff-backup's metadata files seemed to show the permissions were
> stored correctly on the Linux box.  At least, they exactly matched the
> output of some-windows-command-line-program whose name I have now
> forgotten.  But on restore the results on the Windows box were very
> strange.  IIRC, extra groups were given access, permissions that were
> originally "inherited" were now not inherited, etc..  I've had this
> problem with both Cygwin and native versions of 'rdiff-backup', with
> both the 'stable' 1.2.8, and the 'unstable' 1.3.3 versions of
> 'rdiff-backup', and when backing up to both Linux and Windows machines.
>
> The only way I've found of reliably backing up and restoring a Windows
> box using 'rdiff-backup' is: Mirror the entire partition using e.g.
> 'ntfsclone', then use 'rdiff-backup' to back up the mirror file.  I've
> restored Windows boxes from "bare metal" using such backups and they
> work perfectly.  But wow is it unwieldy!
>
> Anyway, apologies if this is too off topic but it does seem somewhat
> related in that, for me anyway, 'rdiff-backup' and Windows do _not_ play
> nicely together regarding permissions.
>

Hi Leland

I too remain uncertain about rdiff-backup's interactions with Windows
permissions, not least because I don't fully understand the latter. I
always backup from Windows without ACLs and use rdiff-backup (1.2.8)
only for data backup, not whole-system. But even here problems can
arise; with some folders such as %APPDATA%\Thunderbird the permissions
can get messed up on restoring - because of inheritance I believe.  To
make it more confusing, the problem may not manifest itself immediately
but a few days or weeks later - when the restored folder suddenly
becomes inaccessible on the local machine.

After restoring with rdiff-backup to %APPDATA%\Thunderbird (or a
subfolder thereof) I fix the permissions thus - must be at an
administrator prompt:

icacls "%APPDATA%\Thunderbird" /reset /T /C /Q

This restores permissions for %APPDATA%\Thunderbird and all files and
directories below it to the default inherited permissions. Obviously it
assumes that the restored folder and all its contents *should* normally
inherit all default permissions.

I have only used this under Windows 8.1 but I expect (hope) it would
work the same for Windows 7-10. I think it is likely to work fine for
anything in %APPDATA% (normally C:\Users\myname\AppData\Roaming),
perhaps even anything in %USERPROFILE% (normally C:\Users\myname), but
it is a workaround rather than a fix. Trying it on %WINDIR% would surely
wreak havoc...

Re rdiff-backup and windows ACLs generally, the rdiff-backup 'features'
page http://www.nongnu.org/rdiff-backup/features.html says 'ACLs are not
supported on Mac OS X or Windows as those systems do not use standard
POSIX.1e access controls'. And refer to a 2008 thread on this mailing
list:
http://www.backupcentral.com/phpBB2/two-way-mirrors-of-external-mailing-lists-3/rdiff-backup-23/patch-backing-up-windows-acls-90543/ 
- I am not sure if Josh's patch ever made it into a published version of
rdiff-backup.

Dominic

_______________________________________________
rdiff-backup-users mailing list at [hidden email]
https://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki