Hello everybody, I'm in a bit of trouble here, let me explain:

directory /var/test:

drwx------+ 3 testuser testgroup 4096 Jul 8 07:56 test

/var/test is a mountpoint for an LVM volume mounted with the acl option:

/dev/mapper/testvg-testvol on /var/test type ext3 (rw,acl)

I want testuser:testgroup to be able to read and write files in this directory and its subdirectories. I also want another user, amanda:disk, to have the same read/write permissions to backup and restore said files and directories. I don't want any other user to have access to those files, not even a read privilege. Of course root can.

I figured I could use the ACLs to solve this problem and tried the following:

setfacl --set u::rwx,u:amanda:rwx,g::-,o::-,m:rwx /var/test
setfacl -d --set u::rwx,u:amanda:rwx,g::-,o::-,m:rwx /var/test

While this works fine for the files that testuser creates in /var/vms:

-bash-3.2$ touch /var/test/testfile
-bash-3.2$ getfacl /var/test/testfile
getfacl: Removing leading '/' from absolute path names
# file: var/test/testfile
# owner: testuser
# group: testgroup
user::rw-
user:amanda:rwx #effective:rw-
group::---
mask::rw-
other::---

It doesn't work for files created by testuser in another directory such as /tmp and copied to /var/test:

-bash-3.2$ touch /tmp/testfile2
-bash-3.2$ ls -l /tmp/testfile2
-rw-r--r-- 1 testuser testgroup 0 Jul 8 08:07 /tmp/testfile2
-bash-3.2$ getfacl /tmp/testfile2
getfacl: Removing leading '/' from absolute path names
# file: tmp/testfile2
# owner: testuser
# group: testgroup
user::rw-
group::r--
other::r--

-bash-3.2$ cp /tmp/testfile2 /var/test
-bash-3.2$ ls -l /var/test/testfile2
-rw-r-----+ 1 testuser testgroup 0 Jul 8 08:07 /var/test/testfile2
-bash-3.2$ getfacl /var/test/testfile2
getfacl: Removing leading '/' from absolute path names
# file: var/test/testfile2
# owner: testuser
# group: testgroup
user::rw-
user:amanda:rwx #effective:r--
group::---
mask::r--
other::---

In this case, the effective rights of the amanda user are sufficient to backup this file but insufficient to restore it, oops...

Please, could you point me in the right direction because I am kind of stuck here... Thank you all very much

Richard

Sorry you haven't gotten an answer on the acls. I don't have a comparable system to yours to play around and see how it works, but I can tell you that moving and copying files from one place to another is the most likely situation where things might not work as you would like. I've repeatedly had that problem with Samba shares and Windows users (one person uploads a file via Samba, another who has shell access on the server moves the file into a location that should be public for that group and finds that group privileges are not correct).

On the other hand, I believe you have to be root to run amrecover, since that puts you in the position of accessing the tapes on the backup server and allows you to see everything as well as recover anything. Backup and Recovery typically has to be able to access everything, regardless of permissions. You might want to review your install of Amanda, or, if it's a system someone else installed, review the user documentation: http://wiki.zmanda.com/index.php/User_documentation.

You need to use the "-a" option to cp to copy the acls. Also, the filesystem you backup the files to needs to also support acls and be mounted with the acl option.

As an aside, you can use the "star" program to backup files including acls, attributes and file attributes (setfacl, chattr, setfattr). My version of tar will not do this, but some versions have an -acl option. You could download that version & compile it.

You had the right idea to test your backups & restore before going with it. If you use tar or star do the same thing.

Absolutely correct and so obvious I didn't see it, my mistake. the "r" permission is sufficient for amanda in that case. Tested Ok on my system.

Yes but unfortunately I don't know the source directory beforehand and they don't all use ACLs so if I copy with -a a file that does not come from an ACL-enabled directory, the default ACLs won't even apply.

What I noticed is that the ACL mask really relies on the "group" rights. if a chmod g something is applied to the file, it will affect the mask of the ACL.

Thank you both for these precious bits of information, It'll do just fine.

yup. You need to know the version of tar you are using. `tar --version` will tell you, and on some of my systems this will respond that it is gnutar. Gnutar will do acls.

You can also download and install gnutar, if your tar is inadequate. Amanda recommends gnutar. Just make sure Amanda knows where it is -- either install it in the same location tar was in when you configured Amanda, or you may need to reconfigure Amanda.