Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On 12/03/22 19:36, Bri Hatch via rsync wrote: On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync mailto:rsync@lists.samba.org>> wrote: Rsync includes a script named rrsync that handles this perfectly. And authprogs provides similar functionality, though you use yaml to define what is/isn't allowed. Thanks - I didn't look at this earlier. It looks like a more general alternative to my dirvish one. I'll have to investigate further. Though my use of ansible has given me a general dislike of yaml :-) Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
Also, it appears that it requires the allowed directory to be specified in authorized_keys. Mine uses an external list of allowed directories, so I don't need lots of lines (and separate keys?) in authorized_keys in order to deal with the several directories I back up per host. Cheers, Richard On 12/03/22 21:01, Richard Hector via rsync wrote: It may do the job; it doesn't AFAIK explain why the options are undocumented :-) Cheers, Richard On 12/03/22 19:22, Kevin Korb via rsync wrote: Rsync includes a script named rrsync that handles this perfectly. On 3/12/22 01:08, Richard Hector via rsync wrote: On 12/03/22 18:38, Richard Hector via rsync wrote: And I do my backups (using dirvish) as root, using a key with a forced command. FWIW, that forced command is here: https://github.com/rwhector/dirvish-forced-command It's rather unpolished and undocumented, but comments very welcome :-) I've also had an issue due to some server-side-only arguments to rsync being undocumented, which means I can't validate them, and basically have to accept anything ... I'd love to know why this is or has to be the case :-) I didn't get any particularly useful answers back in January 2019 ... Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
It may do the job; it doesn't AFAIK explain why the options are undocumented :-) Cheers, Richard On 12/03/22 19:22, Kevin Korb via rsync wrote: Rsync includes a script named rrsync that handles this perfectly. On 3/12/22 01:08, Richard Hector via rsync wrote: On 12/03/22 18:38, Richard Hector via rsync wrote: And I do my backups (using dirvish) as root, using a key with a forced command. FWIW, that forced command is here: https://github.com/rwhector/dirvish-forced-command It's rather unpolished and undocumented, but comments very welcome :-) I've also had an issue due to some server-side-only arguments to rsync being undocumented, which means I can't validate them, and basically have to accept anything ... I'd love to know why this is or has to be the case :-) I didn't get any particularly useful answers back in January 2019 ... Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On 12/03/22 18:38, Richard Hector via rsync wrote: And I do my backups (using dirvish) as root, using a key with a forced command. FWIW, that forced command is here: https://github.com/rwhector/dirvish-forced-command It's rather unpolished and undocumented, but comments very welcome :-) I've also had an issue due to some server-side-only arguments to rsync being undocumented, which means I can't validate them, and basically have to accept anything ... I'd love to know why this is or has to be the case :-) I didn't get any particularly useful answers back in January 2019 ... Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On 12/03/22 06:06, Dr. Mark Asbach via rsync wrote: Hi Dan, Why not rsync directly as root? Then you can use a passwordless, passphraseless RSA (or similar) keypair. I'm not saying I agree with this, but ... That’s because these are cloud instances that get maintained by multiple admins. If we require all of them to log in as root, we would have to share the root password Not if you use ssh keys - just put each admin's public key in root's authorized_keys file. – and that would on one hand be a security/maintainability issue (if one person leaves the team, we’ll have to change and redistribute the root password), Just delete their key. on the other hand it would violate accountability (log files would only show logins by „root“ and after an issue, there would be no chance to know whom to ask about strange things). Harder, I think. I think with verbose logging, you can see the fingerprint of the key that was used, but that seems a bit messy. Both are the typical reasons for not using root accounts but going for sudo instead … I tend to agree with using sudo :-) OTOH, I have an ansible user that can sudo with no password. And I do my backups (using dirvish) as root, using a key with a forced command. Maybe that's an option? Each admin has a special key pair for this purpose, that allows login as root, but has a forced command on the server to do this rsync? Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: --server options
On 21/01/19 8:07 PM, Richard Hector via rsync wrote: > Hi all, > > I see a couple of earlier threads, particularly this one: > > https://www.mail-archive.com/rsync@lists.samba.org/msg32328.html > > partly answer my question, but not fully. > > I also am writing a wrapper, so that I can run multiple dirvish runs > against the same server, using forced commands, but without using > multiple keys to get multiple commands, which is my current workaround. > > But in the interests of locking things down, I'd like to know what the > options are in the -eSTRING section, so I can choose which to > allow/force. Is that documented anywhere? Or do I have to resort to the > source? > > And/or can I safely assume that anything in the -eSTRING won't let a > client get any more than I intended? Does the STRING just run from after > the -e to the next whitespace? Anybody? Are these options/flags deliberately kept obscure? Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
--server options
Hi all, I see a couple of earlier threads, particularly this one: https://www.mail-archive.com/rsync@lists.samba.org/msg32328.html partly answer my question, but not fully. I also am writing a wrapper, so that I can run multiple dirvish runs against the same server, using forced commands, but without using multiple keys to get multiple commands, which is my current workaround. But in the interests of locking things down, I'd like to know what the options are in the -eSTRING section, so I can choose which to allow/force. Is that documented anywhere? Or do I have to resort to the source? And/or can I safely assume that anything in the -eSTRING won't let a client get any more than I intended? Does the STRING just run from after the -e to the next whitespace? Thanks, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
