"right to run rsync " ..as root? Not that this is 0-days information, but scroll down to the rsync part (you can read the rest later, somewhat linux-centric on the tar part I guess) http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
Anyone that can control the contents of the dir, and later run rsync there may have a decent way to shell out and do whatever. Unless the specific rsync features are important to you, running chrooted internal-sftp for copying may be smarter. 2014-08-21 8:47 GMT+02:00 Markus Rosjat <[email protected]>: > Just a short heads up how I did it now and you guys might want to share > your opinion on the security with this scenario. > > maschine A (from were I want to pull files): > - root cant login over ssh > - sync user can only connect with auth key and from host B > - sync user is allowed to run rsync without pw (sudoer file) > > machine B (from where the rsync is initiated): > - root cant login over ssh > - sync users private key is here > - sync user can login with pw > > Info to the network setup > > Machine A is only reachable to a firewall machine (not machine B !) > From Firewall you cant login as the sync user on machine A (as mentioned > above) > Firewall directs traffic from outside only to Machine A > Of Course you cant login as root on the Firewall > > So in my opinion it should be okay to give the sync user the right to run > rsync with no passwd. > > And since we don't live in a world where we can secure something 100% I > think the aproach here is still > acceptable. > > But since a lot of more experienced out there (when it comes to security) > I'm open to other suggestions > > Regards > > > Am 19.08.2014 17:14, schrieb Joseph Borg: > >> Wouldn't something like duplicity work better for you in this case? >> >> Regards >> >> Sent from my iPad >> >> On 19 Aug 2014, at 16:53, Markus Rosjat <[email protected]> wrote: >>> >>> Am 19.08.2014 16:40, schrieb Erling Westenvik: >>> >>>> On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: >>>> >>>>> Is there any other thing I miss with the sudo approach? >>>>> >>>> Check out --usermap, --groupmap and --chown in the man page. Haven't >>>> tried them myself but AFAIK these options were added to rsync(1) late in >>>> 2013 or early in 2014. >>>> >>> this may work on a one file or user directory base but if I want to sync >>> a location like /var/www/htdocs this will be >>> a bit overkill and no I don't want to write a script for this if I can >>> avoid it. >>> >>> -- >>>> Vennlig hilsen/Kind regards >>>> Erling Westenvik >>>> >>> -- >>> Markus Rosjat fon: +49 351 8107223 mail: [email protected] >>> >>> G+H Webservice GbR Gorzolla, Herrmann >>> Königsbrücker Str. 70, 01099 Dresden >>> >>> http://www.ghweb.de >>> fon: +49 351 8107220 fax: +49 351 8107227 >>> >>> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before >>> you print it, think about your responsibility and commitment to the >>> ENVIRONMENT >>> >>> > -- > Markus Rosjat fon: +49 351 8107223 mail: [email protected] > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > you print it, think about your responsibility and commitment to the > ENVIRONMENT > > -- May the most significant bit of your life be positive.
