On Sep 12, 2010, at 1:45 PM, Joe wrote: > On 11/09/10 22:15, Hal Vaughan wrote: >> I will be working with a server on the Internet that uses rsync and is >> running Debian. I will be setting up initial /etc/rsyncd.conf and >> /etc/rsyncd.secrets files on it. But along the way, whenever a new user is >> added, they'll need to be updated. I can use ssh on this system, but, of >> course, I don't want to allow root access. >> >> I'd like to be able to have these files updated automatically when I add a >> new user to another system. I could create new copies of the files locally, >> where the users are added and use scp to copy them to a directory on the >> server. But that's where there are problems. How can I chown the files to >> root, copy them to /etc, and chmod as needed for rsync to use them >> automatically? >> >> I don't see a way to do that without security issues. I need to somehow ssh >> in and do an su or run three commands as sudo (I need to mv the file, chown >> it, and chmod it). >> >> I am far from an expert in security, but I can see that if I have anything >> in place to make this easy, then anyone hacking my user account could easily >> mess up anything in the system. >> >> Is there some way I can set this up so I can update rsyncd.conf and >> rsyncd.secrets only automatically when I have the newer versions on my local >> system to be uploaded? >> >> >> Thanks for any ideas! >> >> >> >> Hal >> > How quickly do you need the updates? Cron will run scripts as root, and can > run your script as often as you can stand the overhead. You just need to get > the files there in a safe way.
I had completely overlooked that idea and someone sent it to me privately a little while ago. While I like what Rob Owens suggested, I'm leaning toward this. I think it's possible that I could send up the minimum information in a file and have the cron job be a Perl script that takes that info and builds the rsyncd.conf and rsyncd.secrets files from there, which reduces the possibility of a rogue file being copied over somehow. Still, none of the ideas is perfect, but putting together the conf files on the site, as opposed to sending them directly, has certain merits. Thanks! Hal -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/c04810b6-f31e-45a7-ad91-c8d5fe13f...@halblog.com
