Hello Sunmanagers
Some time back I had asked for ways to lock access to a tape
device while taking backup.
Here's my original post :
> I have this problem while doing a backup - I have to back up
> about 10 GB data every week for which I use ufsdump on Solaris
> 2.5.1 running on Ultra2. The 8mm DAT drive is half a mile (well
> almost!) away from where I sit. Every time I have to change
> volumes on the DAT I have to run this distance and do the
> needful. My worry is that in the while that ufsdump is waiting
> for the next volume to be inserted, anybody can write to the
> volume already inside the DAT drive, or eject using the mt
> command.
>
> Is there a way by which I can block off access to the tape
> device, so that I know for sure that no one is able to disrupt
> my backups. Naturally I should be able to restore access once
> my job is done.
>
> I urgently require a solution to this as we have only one
> 8mm DAT which everybody uses, and often there have been
> accidental overwrites by one guy on another guy's tape.
I have received the following basic suggestions :
1> Francois Leclerc (fleclerc@slb.com) had suggested an RTFM in system
administration answerbook and search for C2 features allocate,
deallocate. There is a bsmconv script in /etc/security which enables
the basic security module, after which allocate and deallocate
utilities can be used to lock and unlock access to a specified device.
2> Matthew (reynolmd@aston.ac.uk) suggested to use the "-l" option
of ufsdump. This automatically rewinds and ejects the tape when
the end of tape is reached.
3> All the others have suggested writing a wrapper script that
basically does a chown (to the login id using the tape device) and
chmod on the device files (in my case /dev/rst9 /dev/nrst9) for the
duration of the backup procedure, after which file ownership
and permissions are restored to root.
Here are the setuid scripts that I have concocted for my site.
#!/bin/bash
# file : lock_tape
# usage : lock_tape
# This should have the permissions -
# -rws--x--x 1 root staff 349 Oct 1 19:01 lock_tape*
owner=`ls -l /dev/?rst9 | tr -s " " " " | cut -f3 -d" "`
if [ $owner = "root" ]
then
echo "Locking tape device $TAPE for $USER..."
chown $USER /dev/nrst9 /dev/rst9
chmod go-rw /dev/nrst9 /dev/rst9
echo "Please run unlock_tape after you finish your job"
else
echo "Locked by $owner already ... "
echo "Try after some time ... "
fi
#!/bin/bash
# file : unlock_tape
# usage : unlock_tape
# This should have the permissions -
# -rws--x--x 1 root staff 349 Oct 1 19:01 unlock_tape*
owner=`ls -l /dev/?rst9 | tr -s " " " " | cut -f3 -d" "`
if [ $owner = $USER ]
then
echo "Unlocking tape device $TAPE..."
chown root /dev/nrst9 /dev/rst9
chmod go+rw /dev/nrst9 /dev/rst9
else
echo "$TAPE has been locked by $owner ... "
echo "Cannot unlock $TAPE "
fi
--------------------------------------------------------------------
But in case you want to lock the tape device as root use the following
scripts. These scripts essentially remove the suid bits from the
earlier two scripts and removes rw permissions for others.
#!/bin/bash
# file : lock_tape_root
# usage : lock_tape_root
# This should have the permissions -
# -rwx------ 1 root daemon 247 Oct 1 18:28 lock_tape_root*
echo "Removing setuid from lock_tape & unlock_tape scripts."
echo "Locking tape access for root only ..."
chmod u-s /usr/bin/lock_tape /usr/bin/unlock_tape
chmod go-rw /dev/nrst9 /dev/rst9
echo "Remember to restore permissions ... "
#!/bin/bash
# file : unlock_tape_root
# usage : unlock_tape_root
# This should have the permissions -
# -rwx------ 1 root daemon 247 Oct 1 18:28 unlock_tape_root*
echo "Restoring setuid on lock_tape & unlock_tape scripts."
chmod 04711 /usr/bin/lock_tape /usr/bin/unlock_tape
chmod go+rw /dev/nrst9 /dev/rst9
--------------------------------------------------------------------
Thanks a lot to all who replied.
Jaydeep Kulkarni
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:05 CDT