# BackupPC CGI - Best way to do this?

## Chewi

I wrote an ebuild for the highly acclaimed BackupPC last night. It installs ok but it leaves the CGI side of things at a bit of a loose end. By default, it creates a new user called backuppc and uses a CGI wrapper script that is set to SUID. This doesn't seem to work with the default Apache setup but it's not really the ideal method anyway. Using mod_perl instead is supposed to be much more secure with better performance but it demands that I run Apache as a different user on a different port. This means I have to create a separate config file for Apache just for this. It seems like a lot of hassle and can't really be effectively automated in an ebuild. Running BackupPC as the apache user doesn't seem like a good idea. Any other suggestions?

----------

## Chewi

*bump* Help.  :Sad: 

----------

## blake121666

I agree that running it as the apache user is a bad idea but that's what I'm currently doing.  I get a teensie bit of security by putting in commonapache2.conf:

```

<IfModule mod_perl.c>

    <Directory /cgi-bin/BackupPC_Admin>

        AuthType Basic

        AuthName "Restricted BackupPC CGI"

        AuthUserFile /web/passwd

        Require valid-user

        SetHandler perl-script

        PerlResponseHandler ModPerl::Registry

        PerlOptions +ParseHeaders

        Options +ExecCGI

        Order deny,allow

        Deny from all

    </Directory>

</IfModule>

```

But this is my current hack setup.  I haven't gotten around to making this better and hope someone replies to your post with a better way.

BTW, the current perl ebuild doesn't have setuid perl by default ... requires a "perlsuid" USE flag.

----------

## Chewi

I suppose when I consider all the other things that the apache user has to do, it doesn't seem like such a bad idea. Apart from going through all the hassle of using a separate config on a separate port, I think this is probably the best option. At least you're one person who doesn't think that running it as apache is *such* a bad idea! Thanks a lot.

----------

## rewt_rawt

Hey Chewi,

Any chance of you posting your ebuild in this thread? I think there are quite a few Gentoo folks that would like to install BackupPC, but aren't up to the task of writing their own ebuild (like me). :Confused: 

Thanks,

Tom

----------

## Chewi

I'm REALLY busy right now but I'll dig it up later. I was hoping to find a better answer to the dilemma but oh well.

----------

## Chewi

I changed the ebuild so it runs BackupPC as the apache user by default. Get the ebuild here!

https://bugs.gentoo.org/show_bug.cgi?id=80818

----------

## rewt_rawt

For a busy person, you sure got that up fast!

Thanks a lot! I can't begin to say how much I appreciate this.

-Tom

----------

## Chewi

Glad I could help.  :Smile: 

----------

## blake121666

I ended up deleting BackupPC from my machines.  I don't like the way it handles metadata but I like the way it pooled data.  So I wrote my own script that keeps metadata in a BerkeleyDB database to be run before and after any rsyncs either way.  I'm currently looking into having this done automagically using FUSE or LUFS .... thinking of making an rsync or rdiff based filesystem itself to add my own user hacks at the filesystem level.

----------

## massctrl

Hi all,

What's the status of this project?

What's keeping the ebuild from being accepted into portage ?

This is a highly interesting piece of software shame it isn't available yet in portage!!

----------

## Chewi

I wish I knew. Some of my ebuilds go into Portage straight away, some of them get stuck in Bugzilla for months. Luck of the draw, it seems.

----------

## chashab

*bump*

can't wait to see this ebuild in portage!

----------

## Chewi

Give the bug report a poke. They're not going to notice otherwise.

----------

## gondoi

Ok, I might be missing something here, but how do I set up ssh for this?  The documentation requires you to run ssh-keygen as the backupPC user.  If this is apache, I can't su - to this account to create the id files.  I realize I could to it temporarily by creating a home and shell for it, but in the end I need to remove that.  So how do I set up ssh for this? anyone?

----------

## gondoi

I emerged the 2.1.1 version and I have gotten closer.  The only problem now is that I want to use a passphrase on my ssh key, but when I run a backup, it spits out a ton of passphrase entries.  I tried to install keychain to get past this, but it still asks me for the passphrase when starting a backup.  Does anyone have an idea on this?

----------

## Chewi

Not 100% sure about this but you can decrypt the keyfile I think. This technique is used for the same situation with Apache. Check out section 6.6 here.

http://www.linux.com/howtos/Apache-WebDAV-LDAP-HOWTO/ssl.shtml

----------

## gondoi

Well, that's not exactly what I was looking for.  I can create an unencrypted key and everything works fine.. but that is the thing I don't want to unencrypt it.

----------

## henfri

Hi,

first of all thanks for writng the Ebuild.

Sadly, I cannot manage to get the userinterface running.

What is -after a 

emerge apache2

and

emerge backuppc

and the configuration of backuppc-

neccessary to get the CGI Interface running?

Greets,

Hendrik

----------

