<div dir="ltr">I suppose I could put a new ACL on every file/directory on the system. Presumably there's a way to just add it to the top level and have it propagate all the way down. But then again this is Solaris 11, which is exclusively ZFS, and there are *many* file systems. It would be hard to ensure every file system (and descendants) *always* gets the "backup" ACL added to it in a timely fashion.<div><br></div><div>That's why I was wondering if there was a "Backup Operator" type of group. I suspect there isn't such a thing. Likely my only option is the "backup ACL" approach, manually marking everything readable by the backup account I choose. I'm not especially concerned about performance or disk space. ;-)</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 4, 2015 at 8:25 AM, Trevor Cordes <span dir="ltr"><<a href="mailto:trevor@tecnopolis.ca" target="_blank">trevor@tecnopolis.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2015-05-04 Kevin McGregor wrote:<br>
> Is that possible/feasible? In Windows, there's a group called "Backup<br>
> Operator" which does something like this. Is the only alternative in<br>
> Solaris to make the account a member of the "root" group? I don't care<br>
> about e.g. device files and the like. I just want the account to be<br>
> able to back up regular ZFS user-type file systems.<br>
<br>
</span>That's a perennial UNIX question. I'd like to know the answer too!<br>
<br>
Personally, on Linux boxes where groups aren't used at all for user<br>
files I want backed up (they are all just Samba shared as the owner), I<br>
use samba settings to ensure all files are group "backup" or similar<br>
and group readable. Cheesy, but it works because I 100% control access<br>
to those files via limited daemons.<br>
<br>
If your situation isn't similar (i.e. you are using groups for something<br>
meaningful, or want to backup whole-systems like including /etc) then<br>
that is useless.<br>
<br>
I'm sure there's an ACL solution, and I'm (pretty) sure Solaris has<br>
ACL's. However, something about making a zillion ACL's just to do<br>
backups rubs me the wrong way. Sure, if the ACL's are small enough<br>
they'll just get stored in the inode (I think), but I'd sure hate to<br>
waste a fs block just for an ACL if it didn't (if there already were<br>
ACL's on the files, selinux, etc).<br>
<br>
I hope some other members will give a more useful answer...<br>
<br>
(It would be nice if there was a standard, automatic UNIX account called<br>
root-ro!)<br>
<br>
(Oh ya, and dump/restore should be able to bypass all inode user/group<br>
restrictions, but use at your own risk.)<br>
_______________________________________________<br>
Roundtable mailing list<br>
<a href="mailto:Roundtable@muug.mb.ca">Roundtable@muug.mb.ca</a><br>
<a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
</blockquote></div><br></div>