Just a short heads up how I did it now and you guys might want to share
your opinion on the security with this scenario.
maschine A (from were I want to pull files):
- root cant login over ssh
- sync user can only connect with auth key and from host B
- sync user is allowed to run rsync without pw (sudoer file)
machine B (from where the rsync is initiated):
- root cant login over ssh
- sync users private key is here
- sync user can login with pw
Info to the network setup
Machine A is only reachable to a firewall machine (not machine B !)
From Firewall you cant login as the sync user on machine A (as
mentioned above)
Firewall directs traffic from outside only to Machine A
Of Course you cant login as root on the Firewall
So in my opinion it should be okay to give the sync user the right to
run rsync with no passwd.
And since we don't live in a world where we can secure something 100% I
think the aproach here is still
acceptable.
But since a lot of more experienced out there (when it comes to
security) I'm open to other suggestions
Regards
Am 19.08.2014 17:14, schrieb Joseph Borg:
Wouldn't something like duplicity work better for you in this case?
Regards
Sent from my iPad
On 19 Aug 2014, at 16:53, Markus Rosjat <ros...@ghweb.de> wrote:
Am 19.08.2014 16:40, schrieb Erling Westenvik:
On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote:
Is there any other thing I miss with the sudo approach?
Check out --usermap, --groupmap and --chown in the man page. Haven't
tried them myself but AFAIK these options were added to rsync(1) late in
2013 or early in 2014.
this may work on a one file or user directory base but if I want to sync a
location like /var/www/htdocs this will be
a bit overkill and no I don't want to write a script for this if I can avoid it.
--
Vennlig hilsen/Kind regards
Erling Westenvik
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
print it, think about your responsibility and commitment to the ENVIRONMENT
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
print it, think about your responsibility and commitment to the ENVIRONMENT