Untitled :: Idealogic Documentation

Clients install - Using tar

This section will describe the steps to configure the client PC (the PC to be backed up) for BackupPC.

It is better to create a low-privileged backuppc user on the client and use sudo on the client to run the backup command (eg: tar or rsync) as root. This greatly improves security of the solution.

Create user on EL7

sudo useradd backuppc -g backup
sudo mkdir -p /home/backuppc/.ssh
sudo cp /var/share/config/backuppc/authorized_keys /home/backuppc/.ssh/
sudo chown -R backuppc:backup /home/backuppc/.ssh
sudo chmod 700 /home/backuppc/.ssh
sudo chmod 600 /home/backuppc/.ssh/authorized_keys

Create a scripts that can be run by BackupPC over the SSH connection;

sudo nano /usr/bin/backup_tar

with the following content;

#!/bin/sh -f (1)

#####################################################
#
# Script run by BackupPC with no password sudo rights
#
#####################################################

exec /bin/tar "$@" (2)

1	The -f here is used to turn off Glob-Pattern expansion.
2	The "$@" construct specifies that all parameters passed in to this script should be passed on to tar.

This scrips is therefor used as an "alias" tar command to which the BackupPC use will have root access, using sudo, and will be configured to allow sudo execution without a password.

Ensure the script file is executable and owned by the BackupPC user.

sudo chmod 554 /usr/bin/backup_tar
sudo chown backuppc /usr/bin/backup_tar

The script file is located on the share drive and can be installed as such;

sudo cp /var/share/config/backuppc/backup_tar /usr/bin/
sudo chmod 554 /usr/bin/backup_tar
sudo chown backuppc:users

Or simply run the utility script that performs the above commands;

sudo /var/share/config/backuppc/setup.sh

Edit the sudoers file to allow the BackupPC user to execute the backup script commands without password;

sudo visudo

Check if the following line exists:

Defaults    requiretty

If so, invert the setting as follows;

Defaults    !requiretty

If the above setting is not present it can be ignored completely.

Add the following under the command alias section

# WSO2 team
Cmnd_Alias      BACKUP=/usr/bin/backup_tar

And append this to the end of the file;

backuppc        ALL = NOPASSWD: BACKUP

Take note of the spaces in the config lines! Best to copy and paste the text above.

Run the following command while logged in as the BackupPC user on the Master server to ensure it can connect.

sudo su backuppc

ssh -l backuppc pepwso2manp1 sudo /usr/bin/backup_tar

On the first attempt SSH will prompts to accept the fingerprint. Answer YES.