On Wed, Aug 11, 2010 at 01:34:44PM -0400, Brian Cuttler wrote: > As a matter of principle, SOP, we don't like to ssh/rsync as root > and generally don't allow root ssh/rsync into a box. Better/safer > to move the security stuff to a lower powered user if you can.
I'm familiar with the argument. Let me give you my take on it: http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc11.9.9 Downside: Direct root logins make accountability harder - you have only the source IP to go on. Upside: You can back up the entire [file] system remotely. You can rsync stuff owned by users without valid login shells or authorized_keys. For me, I'm the only root user, and only allow key-based logins, so there's no downside. I'll look into your SGID directory idea for group ownership. PS: rsync kinda assumes when doing --preserve-uids that UIDs (or maybe it was user names) map. When they don't exist on target system, you either get "owned by destination user" (no --preserve-uids), or "owned by wrong user", both of which have drawbacks. It'd be nice to have a way to map users, but not a must-have. -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email [email protected] to get blacklisted.
pgpxXcIkHOPhd.pgp
Description: PGP signature
-- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
