Coda File System

backups and security

From: Greg Troxel <gdt_at_fnord.ir.bbn.com>
Date: 02 Nov 1999 12:08:02 -0500
I have a coda server and several clients set up.  In order for me to
feel comfortable putting real data on it, I need to address the issues
of backups and security.

While coda has a backup scheme, it doesn't seem to be integrated with
amanda (http://www.amanda.org/), and thus it would be annoying for me
to use it.  In the glorious future, it will be easier to plug in other
schemes to amanda etc. and all will be simple.  But for now, I settled
on using Gnu tar to do a hackish but adequate job.  Basically, I did

1. put in a cronjob for root on the (single) server to clog from a
   file as a user that can read everything that should be backed up
2. configured amanda normally on the box
3. configured the amanda server to dump each volume with gnu tar

Except for some silly mistakes while configuring, this seems to work.
I know that really I should clone the volumes and back up the clones,
and I should figure out how to use the coda backup program, since I
lose all metadata.  To address the latter, I wrote a simple script to
list the acls.  Should I need the backups, I'll write something to put
them back!  But this gets me the files, and that's the first-order
need.

The second issue is security.  Coda tokens (xor, I believe) are not
adequate.  My current plan is to use IPSEC for all coda traffic, and
use the coda auth underneath it.  However, this won't work across
firewalls that block AH/ESP.  I'd like to use the krbsupport.c K5
support, but also have the rpc2 security be at least DES.  Any
hints/code for this would be most welcome.

It appears that coda lacks strong authentication due to export
control.  Since in theory only encryption is regulated, I can't see
how including strong authentication but no confidentiality support
would run afoul of the rules as written.  While I'd like both, it's
really the lack of authentication that bothers me the most.  I'm
unfortunately not big on copious spare time, but I thought I would
mention this here.

        Greg Troxel <gdt_at_ir.bbn.com>


#!/bin/sh
cd /coda
find . -type d | while read d; do \
  echo $d
  cfs la $d
  cfs la $d > $d/.save-acl-data
  ls -l $d/.save-acl-data
done
Received on 1999-11-02 12:09:26