On Sep 12, 2010, at 12:37 PM, Rob Owens wrote:

> On Sun, Sep 12, 2010 at 12:01:26PM -0400, Hal Vaughan wrote:
>> 
>> On Sep 12, 2010, at 10:51 AM, Rob Owens wrote:
>> 
>>> On Sat, Sep 11, 2010 at 05:15:50PM -0400, Hal Vaughan wrote:
>>>> I will be working with a server on the Internet that uses rsync and is 
>>>> running Debian.  I will be setting up initial /etc/rsyncd.conf and 
>>>> /etc/rsyncd.secrets files on it.  But along the way, whenever a new user 
>>>> is added, they'll need to be updated.  I can use ssh on this system, but, 
>>>> of course, I don't want to allow root access.
>>>> 
>>>> I'd like to be able to have these files updated automatically when I add a 
>>>> new user to another system.  I could create new copies of the files 
>>>> locally, where the users are added and use scp to copy them to a directory 
>>>> on the server.  But that's where there are problems.  How can I chown the 
>>>> files to root, copy them to /etc, and chmod as needed for rsync to use 
>>>> them automatically?
>>>> 
>>>> I don't see a way to do that without security issues.  I need to somehow 
>>>> ssh in and do an su or run three commands as sudo (I need to mv the file, 
>>>> chown it, and chmod it).
>>>> 
>>>> I am far from an expert in security, but I can see that if I have anything 
>>>> in place to make this easy, then anyone hacking my user account could 
>>>> easily mess up anything in the system.
>>>> 
>>>> Is there some way I can set this up so I can update rsyncd.conf and 
>>>> rsyncd.secrets only automatically when I have the newer versions on my 
>>>> local system to be uploaded?
>>>> 
>>>> 
>>> When using ssh keys to log in, you can specify (in
>>> ~/.ssh/authorized_keys) a command which will automatically run when that
>>> key is used to log in.  And that key will be useless to do anything
>>> else.  Simply using that key to conenct to the remote server will run 
>>> that command.
>>> 
>>> The authorized_keys file would look something like this:
>>> 
>>> command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... m...@myhost
>> 
>> I see.  That would make perfect sense and I see I can use -i to specify 
>> which key to use, so for normal situations, I just use "ssh host," and when 
>> I want this done, I do "ssh -i .ssh/special_key host" instead.
>> 
>> I thought I knew about authorized keys, but didn't know you could specify a 
>> command to be run in that file.
>> 
>>> You could use this to ssh into the remote server as root, or as a user
>>> with very specify sudo privileges that will allow your script to run.
>>> (The script would perform the file changes you need done, or simply
>>> rsync them from your local machine).
>> 
>> But if I'm not running as root, from what I can see, no matter what I do 
>> with sudo, I still have to type in a password, don't I?  using the 
>> authorized_keys file and specifying what can be done at login does a lot to 
>> help with security, but if I don't log in as root, no matter what I do, I'll 
>> still have to type in a password to use either "su" or "sudo," right?  Or is 
>> there a way around it?  I was going through man pages, but it seems both 
>> require a password to be typed in no matter what.
>> 
> In /etc/sudoers, you can specify "NOPASSWD", like this:
> 
> someuser      ALL=NOPASSWD: /path/to/some/command
> 
> Then "someuser" can run the specified command as root without typing a
> password.

My bad, in this case.  I read the SUDO man page over a few times, but forgot to 
read SUDOERS man page.  Thanks!



Hal

--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/dd0542fe-3b19-4d26-a129-b03d831b0...@halblog.com

Reply via email to