backup script - moodledata/sessions zip warning: permission denied

backup script - moodledata/sessions zip warning: permission denied

by Francisco Cortes -
Number of replies: 4

Hi 

my moodle version is Moodle 3.2+ (Build: 20161222) which is install on a server running centos 6 on gcloud, which I'm managing myself (I'm mostly a noob playing to be a server admin so please bare with me) 

I'm working on backup script to automate the backup of my moodle install and I'm using a user that is not root or apache to run the script but of course this has lead to a permissions issue:

the data folder has another folder called sessions, the content of this folder has a good number of files with permissions that look like this:

-rw-------. 1 apache apache

the problem I have is that the user under which I'm running the backup script, which again is neither root or apache, gets this error when executing the zip command in my script once it hits the data/sessions/ folder:

zip warning: permission denied 

I figure I could do 2 things:

1. give the apache group read permissions on the content of the sessions folder, and make my backup script owner be part of the apache group

or

2. give my script owner read permissions on the sesssions folder content

I'm wondering which options is more secure or ideal

alternatively, is there a third option I should be considering when looking at my automated backup strategy, maybe I'm trying to invent the wheel here or something? and i certainly would like to avoid it if I can.

any advice is greatly appreciated it

Thank you in advance.

Thank you

Average of ratings: -
In reply to Francisco Cortes

Re: backup script - moodledata/sessions zip warning: permission denied

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Secure from what? If you are the only user of your server (i.e. not shared) then you're only really securing from yourself and from possible security issues in the bits of software that might give enhanced access to external users.

I would run the backup script as the web server user - mostly because it's easiest - but your solution 1 is also fine. The (small) risk with running as root is doing something stupid means that (potentially) the backup files can be written anywhere, overwriting anything.
Average of ratings: Useful (1)
In reply to Francisco Cortes

Re: backup script - moodledata/sessions zip warning: permission denied

by Rick Jerz -
Picture of Particularly helpful Moodlers Picture of Testers
Good experimenting, and learning Francisco. Learning will take awhile (I am still at it, too) but stick with it.
I might not fully understand a few things. It appears that you are saying that you are not "root." However, can you be? Can you not issue a command, "su" and become root (substitute user?) I think for some tasks that you want to do you might need to have root access. (Howard might correct me.)
Average of ratings: Useful (1)
In reply to Francisco Cortes

Re: backup script - moodledata/sessions zip warning: permission denied

by Ken Task -
Picture of Particularly helpful Moodlers

What's 'gcloud'?   Google Compute Engine?

If so, got one of those myself.

CentOS 6 typical install, defines 'apache' (the web server user) 'home' as /var/www/

Your moodle code resides in /var/www/html/

Your moodledata is in /var/www/

Apache user has access rights already to /var/www/ and nothing in that directory is directly accessible via browser not logged onto your moodle.  To be able to do that one would have to add to config of apache the ability to see/access ... and there is no reason to do that ... shouldn't do that.

There probably is a 'broken' .htaccess file in moodledata - added protections from direct access via browser.

What you might have experience with is remotely hosted where the customer login/id is used for a 'jailed' public_html directory ... not the same as having full control of server.

For backup purposes, one can sudo -s to root only if account used to login is in 'wheel' group (sudoers).  And in a GCE instance the gmail account used to create the project/GCE instance is in that group (sudoer) automagically.

And, for better compression and reliable backups, suggest using tar/gunzip (that's what your course backups (those .mbz's) should be.

Would think you'd want no issues with full site backups so suggest sudo -s (becoming root) is best - and saving those to a directory completely outside of anything apache user could access ... like /home/backups/

and just a heads up ... CentOS 6 end of life is November 30th, 2020 ... after that date, no more fixes/patches to anything OS wise and considering the state of the internet these days not advisable to be running anything that can't acquire updates.

There is no 'in place' upgrade path to CentOS 7 so you will be looking at full backups of your Moodle being created and stored off the server, wiping out the CentOS 6 instance, spinning up a fresh CentOS 7 ... getting everything to run ... PHP/MySQL (compatible with your version of Moodle) then restoring your moodle backup.

'SoS', Ken

Average of ratings: Useful (1)
In reply to Ken Task

Re: backup script - moodledata/sessions zip warning: permission denied

by Francisco Cortes -
Hi Howard, Rick, Ken

thank you so much for getting back to me

I didn't want to use either root or the apache user to get my backup script working so with some trickery in the /etc/sudoers I manage to give my custom backup-user permission to run zip and cp commands as sudo for the data and html files of my moodle installation and then finally today, after weeks on tries and failures, I managed to get my script to execute as needed and now I'm able to backup the moodle install locally and remotely everyday and automatically.

Thank you again for your feedbackup and info on centos 6 and for the gar/gunzip suggestion which I will look into, I do plan to get centos 7 setup in gcloud (google compute vm instance) if we were to consider continuing with moodle which at this point is a conversation that the school is having given the cost and hassle that it takes to maintain the server ourselves, we're considering implementing google classroom instead which of course has it cons and pros.

It's definitely good, though, to know that we're not by ourselves out there so I do want to thank you all three for your input and for sharing your knowledge.

In case someone is interested here's the script I've been using and that I've been adapting

any suggestions and feedback is always welcome.

#!/bin/bash

# script Name: Local and Remote MoodleBackup
# By: Edward Owens and Adapted by Francisco Cortes
# Date: April 2011 - 2019
# Purpose: Backup Moodle, Moodledata, and Database and zip them in a single zip file. Keep only two backups on hand.
# If there is already two backups on hand, then overwrite the oldest one.
#==========================================================================================================================

#------Variables-----------------------------------------------------------------------------------------------------------
suffix=$(date +%B-%Y) # date stamp
logname="/home/moodlersyncuser/backups/"$suffix"_backup.log" # absolute path to logfile
file_name1="/home/moodlersyncuser/backups/moodle1gc.zip" # absolute path to backup 1
file_name2="/home/moodlersyncuser/backups/moodle2gc.zip" # absolute path to backup 2
zip1="/var/www/html/moodleic/" # absolute path to moodle root
zip2="/var/www/data/" # absolute path to moodle data
sql_name="/home/moodlersyncuser/backups/moodle_db.sql" # absolute path to sql file
dbName="[moodle's db]" # db Name
dbUser="[moodle's db user]" # db User
dbPassword="[moodle's db user's passwod]" # db Password
dbHost="localhost" # db Host
email="[email@fornotification.edu]" # email where notificaiton is sent
rsyncpath="/usr/bin/sudo /usr/bin/rsync" # rsync path on remote server
remotesudouser="moodlersyncuser" # user used to ssh into remote server
remoteserver="remote server's ip" # remote backupserver
remotersyncbackuplocation="/home/moodlersyncuser/backups/" # location on remote server to store rysnc bckps
#----------------------------------------------------------------------------------------------------------------------------

echo "Started--> "$(date +%H":"%M":"%S) > $logname
echo "Dumping database"
mysqldump --opt --user=$dbUser --password=$dbPassword --host=$dbHost $dbName > $sql_name

if test -e $file_name1;
then
if test -e $file_name2;
then
echo "copying moodle2gc.zip to moodle1gc.zip"
sudo cp $file_name2 $file_name1 >> $logname
echo "removing moodle2gc.zip"
rm -f $file_name2 >> $logname
echo "creating moodle2gc.zip"
sudo zip -r $file_name2 $zip1 $zip2 $sql_name >> $logname
else
echo "creating moodle2gc.zip"
sudo zip -r $file_name2 $zip1 $zip2 $sql_name >> $logname
fi
else
echo "creating moodle1gc.zip"
sudo zip -r $file_name1 $zip1 $zip2 $sql_name >> $logname
fi

# remove sql file
echo "removing "$sql_name
rm $sql_name

if test -e $file_name1;
then
# rsync moodle1gz to remote server
echo "rsyncing zip moodle1gc.zip to remote server"
rsync -avz -e "ssh" \
--rsync-path="$rsyncpath" \
--numeric-ids \
$file_name1 $remotesudouser@$remoteserver:$remotersyncbackuplocation >> $logname
fi
if test -e $file_name2;
then
# rsync moodle2gz to remote server
echo "rsyncing zip moodle2gc.zip to remote server"
rsync -avz -e "ssh" \
--rsync-path="$rsyncpath" \
--numeric-ids \
$file_name2 $remotesudouser@$remoteserver:$remotersyncbackuplocation >> $logname
fi
echo "Finished--> "$(date +%H":"%M":"%S) >> $logname
echo "Finished--> "$(date +%H":"%M":"%S)

# send a message to the email noted above.
echo "Sending email to "$email
echo "Moodle Backup and rsync Completed on gc" | mail -s "Moodle Backup and rsync Completed on gc" -a $logname $email
echo "done"
Average of ratings: Useful (1)