Skip to content

Apple Time Machine backups on Debian 9 (Stretch)

Debian

Netatalk 3.1.12 has been released which fixes an 18 year old RCE bug. The Medium write up on CVE-2018-1160 by Jacob Baines is quite an entertaining read.

The full release notes for 3.1.12 are unfortunately not even half as interesting.

Warning: Read the original blog post before installing for the first time. Be sure to read the original blog post if you are new to Netatalk3 on Debian Jessie or Stretch!
You'll get nowhere if you install the .debs below and don't know about the upgrade path from 2.2.x which is still in the Debian archive. So RTFA.

For Debian Buster (Debian 10) we'll have Samba 4.9 which has learnt (from Samba 4.8.0 onwards) how to emulate a SMB time machine share. I'll make a write up how to install this once Buster stabilizes. This luckily means there will be no need to continue supporting Netatalk in normal production environments. So I guess bug #690227 won't see a proper fix anymore. Waiting out problems helps at times, too :/.

Update instructions and downloads:

The update instructions (assuming you have installed the 3.1.9 gcrypt build before) are:

# install new debs
dpkg -i libatalk18_3.1.12-1_amd64.deb netatalk_3.1.12-1_amd64.deb
# reboot the box (restart of netatalk may not be sufficient)
reboot
# After reboot: remove the obsolete libatalk17 if you have updated from 3.1.9 (libatalk16 if you are coming from 3.1.8 or earlier)
dpkg -r libatalk17

All the source integration work has - as usually - already been done by Adrian Knoth1. Many thanks!

And here are the files:

File Function md5 sha1
libatalk-dev_3.1.12-1_amd64.deb (libgcrypt, systemd build, build 2) Development files for the libatalk library (dev only) 0ff18079d289cdb1b440a11b8885a021 0084fa96382d83b2693d56137c36e8ccd0660369
libatalk18_3.1.12-1_amd64.deb (libgcrypt, systemd build, build 2) libatalk library (needed) 8963137e2063d47eacd66a177a433706 ae88086c8e98d4bbb46025881bbd38f6bc396aa0
netatalk_3.1.12-1_amd64.deb (libgcrypt, systemd build, build 2) netatalk daemons (needed) 9694aa1cc1884eee5bb0f9e9042f5311 9c8817397bcaceaaa4dc6c4f224a7709979d47cf

It has been four years of out-of-archive Netatalk3 now. I hope these will be the final Netatalk files I need to publish (Samba 4.8/4.9 will provide the Time Machine functionality from Debian Buster onwards), so here are the detached debug symbols, too:

File Function
libatalk18-dbgsym_3.1.12-1_amd64.deb (libgcrypt, systemd build, build 2) Debug symbols for libatalk18
netatalk-dbgsym_3.1.12-1_amd64.deb (libgcrypt, systemd build, build 2) Debug symbols for netatalk 3.1.12

Update:

09.01.19: Ross Burton pointed out a bug on IRC yesterday:

 16:04 <rburton> trying to use your netatalk debs
 16:04 <rburton> (thanks for those!)
 16:04 <rburton> libatalk18 : Depends: libmysqlclient18 (>= 5.5.24+dfsg-1) but it is not installable

This snuck in despite mysql not being present in the pbuilder root. Most probably a fakeroot problem. I usually build on dedicated VMs and I should do so again (aka "note to self").

That bug is quite annoying to fix as the autotools setup from netatalk checks for presence of mysql_config ... and then links against non-existing libs regardless (it doesn't use any of the exports). The files linked above are updated ("build 2"). If you downloaded the debs before and don't have mysql / mariadb with the compat shim present on your system, please download again. NB: There's more useless deps in the build but none as bad as MySQL. Thanks Ross for the nudge!


  1. Full source code available from his repo. 

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Regis on :

Thanks for the article! I'm looking forward to the tutorial on using Time Machine with Samba. I can't get it to work on Buster myself. (Yes, this is a shameless cry for free help!)

Add Comment

Markdown format allowed
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options

Submitted comments will be subject to moderation before being displayed.