Freebsd – Read files owned by another user as non-root

freebsdpermissionszfs

I'm backing up servers on a backup server. Each server which is backed up has it's own account on the backup server, and the files are rsynced. It is important that the permissions remain intact (using rsync -p) to simplify restores.

I'm trying to create a script which can read the files and create some statistics. I don't like that script to be running under the root user, and it it also impossible to run it for every backup user, as the script should be able to read all files from all users. However, this creates a problem when a file is for example chmodded 600. I don't want to touch permissions, but another user except for root and the owner can't read it.

A specific – non root – user should be able to read all files in a directory or partition, regardless the permission levels (and the owner of the files should have no way to prevent it). Is there a way to achieve this? I'm running FreeBSD with a ZFS volume.

Best Answer

Use sudo.

If your sudoers file lists an exact and specific command then the command must be called exactly as listed in the sudoers or it will be denied.

E.g.:

backupuser  ALL=(root) /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

In this example the user backup can execute the command exactly as shown:

sudo /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

If they call sudo rsync... instead of sudo /usr/bin/rsync the command fails, or if the flags or paths are different the command fails.

If you're doing this in a script then you want to enable passwordless use of those commands:

backupuser  ALL=(root) NOPASSWD: /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

For more see the sudoers(5) man page under Cmnd_list.

Related Solutions

Is it ok to have files owned by a non-existent user

Yes, it's fine.

UNIX doesn't really care about names. For file permissions, it's the numbers that are important; when you try to access the file, it'll see if your UID matches, then GID, then it'll use the "other" permissions. As long as the "other" permissions include reading, you'll be able to read those files.

It doesn't check to see if a user or group exists for that number unless you're running something like ls that shows user and group names (in which case, it'll just show the number).

On my home server I have many UIDs and GIDs that do not exist on any other machines; NFS handles it just fine. FreeBSD server, OpenBSD and Linux clients.

Linux – Cannot change permissions as root on a file owned by root

CentOS (and other Fedora/RHEL derivatives) enables an additional security mechanism known as SELinux. It applies additional restrictions on most system daemons. These additional restrictions are checked after regular unix permissions.

For non-default configurations you often need to adjust SELinux. Files contain a specific security label, which is used by SELinux to apply the security policy. If your problem only occurs with some files, you need to correct the SELinux labels on the problematic files. Use chcon with --reference= option to copy the label from a file which works to apply the same label on your problematic file(s):

chcon --reference=<path to working file> <path to not working file(s)>

If your files are in non-standard location, you should add a rule in file labeling database. This avoids problems the next time file system is relabeled or restorecon is used. Choose the label appropriately or use the already applied label (check the existing security labels with ls -lZ).

Adding a labeling rule for /path/to/directory and its contents using semanage:

semanage fcontext -a -t httpd_user_rw_content_t '/path/to/directory(/.*)?'

If your files are on different file system, you can use context option for the mount point to apply/override the default labeling.

Best Answer

Related Solutions

Is it ok to have files owned by a non-existent user

Linux – Cannot change permissions as root on a file owned by root

Related Question