close Warning: Error with navigation contributor "AccountModule"

Opened 8 years ago

Last modified 8 years ago

#66 new enhancement

Windows ACL support

Reported by: Achim J Latz Owned by: ben
Priority: normal Milestone:
Component: bbackupd Version: 0.11rc2
Keywords: Windows ACL Cc:

Description

This would be great, especially if we want to start making BB "bare-metal restore" capable.

In case this would break backwards compatibility with really old clients, there is always the possibility of "Add a switch, functionality is disabled by default": if somebody wants to use it, they have to make sure that backend and frontend are compatible, and then enable the ACL feature themselves. In 3 years, when everybody is on a more recent (i.e. already ACL-compliant) platform, you can throw the default switch to on.

I would be very happy to see ACL support for Windows under Box Backup

It is also official now that SIDs are nowhere near important as believed. From *the* guy that ran sysinternals http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

Change History (3)

comment:1 Changed 8 years ago by Achim J Latz

ACLs and file attributes http://setacl.sourceforge.net/html/examples.html (see examples 13 and 14 for storing and restoring ACL information to/from a file)

http://truetechsolutions.supersized.org/archives/24-SetAcl-goodness.html

Public domain (pre 2.0) version of SetACL http://www.helge.mynetcologne.de/setacl/

List current ACLs

SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot shr -actn list
SetACL.exe -on "D:" -ot shr -actn list

To set 'change' permissions on the directory:

$ SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot file -actn ace -ace "n:ajl;p:change"
INFO: Privilege 'Back up files and directories' could not be enabled. This can probably be ignored.
INFO: Privilege 'Restore files and directories' could not be enabled. This can probably be ignored.
INFO: Processing ACL of: <\\?\C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile>

SetACL finished successfully.

Remove write and change permission sets from file

$ SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot file -actn ace -ace "n:ajl;p:write,change;m:revoke" 

Possible privileges are: write change full read_ex

Removes "Everyone" from file (everyone becomes todos in ES version)

$ SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot shr -actn ace -ace "n:everyone;m:revoke"
$ SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot shr -actn ace -ace "n:ajl;m:revoke"

Remove write and change permission sets from file, replace with 'read and execute' permissions:

SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot file -actn ace -ace "n:ajl;p:write,change;m:revoke" -ace "n:ajl;p:read_ex"

comment:2 Changed 8 years ago by Achim J Latz

More details from the backuppc script: http://sourceforge.net/apps/mediawiki/backuppc/index.php?title=User_Scripts_-_Client_-_Windows_VSS

#  [optional] subinacl.exe
#      Only required if backing up ACLs and you want to use this
#      method instead of or in addition to 'getfacl'. The program is a
#      free download from Microsoft (note I found that the older
#      version included with the Windows Server 2003 toolkit didn't
#      work on XP but the following version did):
#       http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B
# http://ss64.com/nt/subinacl.html

# By setting the variable ACL or command line -A (--ACL) it is
# possible to have the script dump the ACLs of each desired backup
# drive for inclusion in the backup. The ACLS are generated either by
# 'getfacl' (ACL=1) or more comprehensively by 'subinacl' (ACL=2) or
# by both (ACL=3) The dumps are gzipped but in a format that can be
# restored by 'setfacl' and 'subinacl' respectively. Note that
# 'subinacl' runs slower but dumps the full ntfs file ACLs while
# 'getfacl' only does the cygwin subset.  Additionally, the variable
# $ACLFINDPRUNE contains a list of files/directories to exclude from
# the 'getfacl' dump (typically temp folders, analogous to ones you
# wouldn't backup either. Similary, $ACLSUBINACLEXCLUDE is a list of
# paths to exclude for the 'subinacl' dump.  Note to read the subinacl
# files as plain text you may need to pipe the uncompressed version
# onto: iconv -f UTF-16LE -t UTF-8 | tr -d '\r'

comment:3 Changed 8 years ago by Achim J Latz

See also the discussions on this thread http://www.mail-archive.com/[email protected]/msg17928.html

Note: See TracTickets for help on using tickets.