Bug 1379899

Summary: Documented ways to run backintime as root do not work.
Product: [Fedora] Fedora Reporter: bob mckay <urilabob>
Component: backintimeAssignee: hannes <johannes.lips>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: i, johannes.lips, projects.rg
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-13 14:58:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description bob mckay 2016-09-28 03:01:27 UTC 
Description of problem:
Backintime provides two ways to run as root in Fedora (A. from a gnome icon or B. with sudo -i). Neither works out-of-the-box in the documented ways. 

Version-Release number of selected component (if applicable):
1.1.12 

How reproducible:
Reliably

Steps to Reproduce:
A:
1. Click on backintime(root) icon

B:
1. Include user in group wheel (which, by the way, should be documented in the man page)
2. sudo -i backintime


Actual results:
A: Absolutely nothing happens (I assume backintime attempts to open a permissions dialog, but for some reason - probably the same as below - is unable to)

B: "Sorry, user rim is not allowed to execute '/bin/bash -c backintime' as root on bobslin."

This is despite rim being a member of group wheel, and wheel having full sudo permissions; rim is able to run most sudo commands successfully. There appear to be relevant messages in the logs:
Sep 28 11:52:30 bobslin audit[20415]: USER_CMD pid=20415 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rim" cmd=2F62696E2F62617368202D63206261636B696E74696D65 terminal=pts/0 res=failed'
Sep 28 11:52:30 bobslin sudo[20415]:      rim : command not allowed ; TTY=pts/0 ; PWD=/home/rim ; USER=root ; COMMAND=/bin/bash -c backintime

 but I can't figure out what they mean. The sealert browser does not show any alerts.


Expected results: 
Ideally: these mechanisms should be supported (since backing up the root filesystem as part of a backup is a reasonable use case), even if it's necessary to include warnings about security (I'm trying to create an encrypted backup with a strong password on a secured system with only a single user, so the security risks are relatively low)
Worst case: the documentation of ways to get root backups, that do not in fact work as described, should be removed. If there _is_ any way to get a working root backup, including required selinux or other security jiggery-pokery, it should be documented.

Additional info:
This is a new install of fedora 24;
Comment 1 bob mckay 2016-09-28 09:03:37 UTC 
OK, problem partly solved: sudo.conf originally contained:
wheel   ALL=(ALL)       ALL
I have added:
rim     ALL=(ALL)       ALL
and rim can now successfully run 'sudo -i backintime' - though it beats me why adding the 'rim' line should make a difference when rim was already a member of wheel. The point is, this needs to be documented, at minimum in the man page.

What also needs documenting is the correct recipe for running the configuration gui for setting up root backup. Clicking on the root backup icon still doesn't work. So far, it's looking like what is needed is:

sudo -i -E backintime-qt4

(it brings up the configuration screen OK, but I still have to confirm that I can save and run the configuration - this will take a while as I need another backup disk to do the test).
Comment 2 Raphael Groner 2016-09-28 19:02:46 UTC 
Works for me.

Did you try backintime-qt4-root in a terminal? I doubt backintime can run with sudo, better use 'pkexec backintime-qt4'.
Comment 3 bob mckay 2016-10-01 05:31:07 UTC 
Is it possible you have done additional configuration to allow the root gui to run from the icon? It still does not launch for me, and as I said, this is a very recent, close-to-stock f24 installation. The only thing that works for me to get a root gui still is:

    sudo -i -E backintime-qt4-root

which allowed me to create and run backintime root configurations. Even that only worked after I added my user (rim) to the sudoers file (I have reconfirmed that rim was already a member of wheel). I can confirm specifically that 

     pkexec backintime-qt4-root

does not work. It gives the error message

    No protocol specified
    app.py: cannot connect to X server :0.0
Comment 4 Raphael Groner 2016-10-01 08:06:49 UTC 
Again, it's not recommended to use sudo for backintime.

Use backintime-qt4 as normal user, or with pkexec if in need with root rights.

Use backintime-qt4-root for root user, it should prompt you for the password if you run it as normal user.

Mind the difference between the binaries backintime-qt4 and backintime-qt4-root!
Comment 5 hannes 2016-10-13 14:58:24 UTC 
There is a backintime-qt4-root command, so no need for sudo here. Think that can be closed.