First off; this is a great piece of software! I'm backing up all my
Linux, Windows, and MacOS boxes now without having to maintain my
home-grown scripts to do the job (and waste space). And I'm looking
forward to backuppcd whenever it gets ready for primetime.
Anyways, I'm attempting to do a remote rsync of a machine over ssh
with sudo. The backup is successful as long as I don't use the
command="/home/user/bin/rsync-wrapper.sh" directive in my ssh
authorized_keys file. I am guessing it has something to do with the
escaping of things as they get passed to the script.
The script doesn't modify the command passed to it, it just checks to
make sure I'm running an allowed command:
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
nice\ -n\ 19\ sudo\ /usr/bin/rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
When going through the rsync-wrapper, the backup happens, but it backs
up things that are supposed to be excluded (and that are properly
excluded) when the wrapper isn't used and any command over ssh is
allowed. It's almost like the rsync excludes get ignored - again
perhaps by an escaping error.
My relative settings are:
$Conf{RsyncClientCmd} = '$sshPath -p 2222 -q -x -l user $host nice -n
19 sudo $rsyncPath $argList+';
$Conf{RsyncShareName} = ['/'];
$Conf{BackupFilesExclude} = ['Maildir'];
$Conf{BackupFilesOnly} = ['/home/user', '/etc/sxid.list',
'/etc/sxid.conf', '/scratch/backup/bin', '/etc/adm', '/root',
'/etc/cron.daily/webalizer', '/etc/webalizer', '/var/cache/bind',
'/etc/init.d/bind9', '/etc/group', '/etc/shadow', '/etc/passwd',
'/etc/sudoers', '/var/backups', '/etc/init.d/iptables-fw',
'/etc/init.d/iptables', '/var/lib/iptables', '/etc/portsentry',
'/etc/logcheck', '/etc/iptables', '/etc/apache2',
'/var/www/proftpdadmin', '/etc/proftpd', '/etc/mysql',
'/var/lib/mysql', '/usr/share/squirrelmail/plugins',
'/var/www/postfixadmin', '/etc/squirrelmail', '/etc/spamassassin',
'/etc/postfix', '/etc/pop-before-smtp', '/etc/mailman',
'/etc/courier', '/etc/clamav', '/etc/amavis', '/etc/aliases',
'/etc/maildroprc', '/etc/procmailrc'];
Like I said, when trying to verify the client command via the
rsync-wrapper, it attempts to backup the full drive /, /proc, /dev,
etc, so I know something is going screwy since it is only supposed to
backup the files I have specified.
If someone has a better suggestion for a wrapper script so I can only
allow this user to run the backup command over ssh, then please let me
know.
Thanks,
Brian
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid�3432&bid#0486&dat�1642
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
