Am 21.08.2014 09:01, schrieb Janne Johansson:
"right to run rsync " ..as root?
Not that this is 0-days information, but scroll down to the rsync part (you
can read the rest later, somewhat linux-centric on the tar part I guess)
http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
Anyone that can control the contents of the dir, and later run rsync there
may have a decent way to shell out and do whatever.
Unless the specific rsync features are important to you, running chrooted
internal-sftp for copying may be smarter.
I need to backup stuff from Machine A to B , like the whole htdocs folder.
I dont think I can skip the part where some user or root has to do the
rsync job. So what I try to do is , minimize
the points of abuse for this power. If you know a better way of syncing
one machine to another plz tell me because if I can really skip the part
where I have to give someone the right to act as root I'll do it. But
with my understanding and what I have read so far it all melts down to
the point when someone is telling you "you can get this when you do it
as root".
2014-08-21 8:47 GMT+02:00 Markus Rosjat <[email protected]>:
Just a short heads up how I did it now and you guys might want to share
your opinion on the security with this scenario.
maschine A (from were I want to pull files):
- root cant login over ssh
- sync user can only connect with auth key and from host B
- sync user is allowed to run rsync without pw (sudoer file)
machine B (from where the rsync is initiated):
- root cant login over ssh
- sync users private key is here
- sync user can login with pw
Info to the network setup
Machine A is only reachable to a firewall machine (not machine B !)
From Firewall you cant login as the sync user on machine A (as mentioned
above)
Firewall directs traffic from outside only to Machine A
Of Course you cant login as root on the Firewall
So in my opinion it should be okay to give the sync user the right to run
rsync with no passwd.
And since we don't live in a world where we can secure something 100% I
think the aproach here is still
acceptable.
But since a lot of more experienced out there (when it comes to security)
I'm open to other suggestions
Regards
Am 19.08.2014 17:14, schrieb Joseph Borg:
Wouldn't something like duplicity work better for you in this case?
Regards
Sent from my iPad
On 19 Aug 2014, at 16:53, Markus Rosjat <[email protected]> wrote:
Am 19.08.2014 16:40, schrieb Erling Westenvik:
On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote:
Is there any other thing I miss with the sudo approach?
Check out --usermap, --groupmap and --chown in the man page. Haven't
tried them myself but AFAIK these options were added to rsync(1) late in
2013 or early in 2014.
this may work on a one file or user directory base but if I want to sync
a location like /var/www/htdocs this will be
a bit overkill and no I don't want to write a script for this if I can
avoid it.
--
Vennlig hilsen/Kind regards
Erling Westenvik
--
Markus Rosjat fon: +49 351 8107223 mail: [email protected]
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
--
Markus Rosjat fon: +49 351 8107223 mail: [email protected]
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
--
May the most significant bit of your life be positive.
--
Markus Rosjat fon: +49 351 8107223 mail: [email protected]
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
print it, think about your responsibility and commitment to the ENVIRONMENT
