Re: getting rid of permission denied partial transfer errors
Jim Salter wrote: yeah, except that the directory is not 700 but 600, so even user backup cannot traverse it... but root can. Have you considered using sudo such that the fileserver isn't actually logging into the backupserver as root, but only logging in as a heavily *un*privileged account which can do nothing but run a script chmodded 750 and chowned root.backup, which then sudo's rsync to do your bidding? Sorry for the late reply. I have been thinking about this, but i can't figure out how to use sudo effectively. You are suggesting to use sudo to run the script. However, my concern is that to run rsync inside the script, root priviledges must be granted to some user (remember the ssh shell), so that triggering synchronization is possible, but the script needs rights to log as root at the other end. When I use an SSH transport, that's how I use it. My servers won't allow remote root login to begin with (and that's the way I like it), and by doing it that way there's really nothing that compromising the backup account can do other than give someone the ability to run my daily backups for me. Not too scary, that. Does the backup script have read access to the files? Mine doesn't, as stated above, and that's where everything screws up. :-( By the way, can a user be granted read access of everything without any other right? I have chosen to ignore the errors, but i am still curious. -- Sayan -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
The rsync command tries to send sample_file to the backup server, which cannot write it because it was not able to recurse into my_directory. Removing the -p switch and removing the backup file did not succeed, and rsync continued to preserve the perms even without the switch. I am running rsync 2.5.5 on debian woody/stable. Hm. You apparently missed something when you tried changing the switches - if you aren't running rsync with -a, -o, or -g, it won't create files or directories as owned by anyone but the user context it is running under. So permissions are no longer a problem, because even if a directory is 700, when it's owned on the backup server by user backup, user backup can of course traverse it. chown -R backup /mnt/backup chgrp -R backup /mnt/backup, rewrite your script to get rid of all instances of -a, -o, or -g, then if you're still getting errors show us what your revised script looks like. Jim Salter -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
Jim Salter wrote: The rsync command tries to send sample_file to the backup server, which cannot write it because it was not able to recurse into my_directory. Removing the -p switch and removing the backup file did not succeed, and rsync continued to preserve the perms even without the switch. I am running rsync 2.5.5 on debian woody/stable. Hm. You apparently missed something when you tried changing the switches - if you aren't running rsync with -a, -o, or -g, it won't create files or directories as owned by anyone but the user context it is running under. So permissions are no longer a problem, because even if a directory is 700, when it's owned on the backup server by user backup, user backup can of course traverse it. yeah, except that the directory is not 700 but 600, so even user backup cannot traverse it... but root can. -- Sayan -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
yeah, except that the directory is not 700 but 600, so even user backup cannot traverse it... but root can. Ah, I see. Sounds like you're down to either running as root on both ends, or ignoring errors. Have you considered using sudo such that the fileserver isn't actually logging into the backupserver as root, but only logging in as a heavily *un*privileged account which can do nothing but run a script chmodded 750 and chowned root.backup, which then sudo's rsync to do your bidding? When I use an SSH transport, that's how I use it. My servers won't allow remote root login to begin with (and that's the way I like it), and by doing it that way there's really nothing that compromising the backup account can do other than give someone the ability to run my daily backups for me. Not too scary, that. Jim Salter -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
Ah, I see. Sounds like you're down to either running as root on both ends, or ignoring errors. Have you considered using sudo such that the fileserver isn't actually logging into the backupserver as root, but only logging in as a heavily *un*privileged account which can do nothing but run a script chmodded 750 and chowned root.backup, which then sudo's rsync to do your bidding? Or he could use SSH2 keys and an authorized_keys2 file, with ssh set to allow root on forced-command-only. This would prevent root logins, but allow a single box (or boxes) to rsync in and have read-only access to a specific share. Or you could create a passwordless uid 0 user specifically for this purpose. If you were really paranoid, the forced-command could be a script to check for abnormal behaviors and bail out if something is fishy. There's multiple layers of authentication (the key itself, the from-host of ssh, and the allowed host in rsync), and exactly what is backed up can be pretty locked down and chrooted to prevent intentional or unintentional misuse. Tom -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
Or he could use SSH2 keys and an authorized_keys2 file, Waxing pedantic, that really ought to be and/or. SSH2 keys are great as an added layer of security to apply some paranoia as to *what* box is calling the script, no matter what user account you're using to log in with. allow root on forced-command-only. This would prevent root logins, but allow a single box (or boxes) to rsync in and have read-only access to a specific share. Or you could create a passwordless uid 0 user specifically for this purpose. If you were really paranoid, the Eek. I would personally be more nervous about stray uid 0 accounts floating around or direct root logins enabled (forced-command or no) than about using sudo to call a script. Jim Salter -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
sure avoid all perm/user issues by making the whole server suid. seen kids do that when they tired of having to su - root on their linux systems. The alternative would be to enable ssh for root for those particular cron jobs make sure the sshd_config is edited to disable this mischeif after the job has run and send and recieve as root on both ends, and set the proper rsync switch to retain onwers/perms . Thanks, Ron DuFresne Sayan wrote: Hi, I am currently setting up a backup script for the /home directory of a server. I send all the files on a remote machine through LAN connection using rsync to optimize bandwidth usage. The script is run as root on the server by a cron job but rsync connects to the remote machine as a normal user via an ssh key certificate. This leads to many permission denied errors, as the server side can read files (as root), but cannot create them on the receiving side. rsync -azSHe ssh --delete --numeric-ids /home [EMAIL PROTECTED]:/mnt/backup/ Is there an option to ignore only such errors? I have read the man page over and over but i could not find anything to suit my needs. thanks -- Ron DuFresne ITS Unix Group 919-871-6466 -- ITS policy requires the following notice: E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized state official. -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
On Mon, Dec 22, 2003 at 09:11:26PM +0100, Sayan wrote: Hi, I am currently setting up a backup script for the /home directory of a server. I send all the files on a remote machine through LAN connection using rsync to optimize bandwidth usage. The script is run as root on the server by a cron job but rsync connects to the remote machine as a normal user via an ssh key certificate. This leads to many permission denied errors, as the server side can read files (as root), but cannot create them on the receiving side. rsync -azSHe ssh --delete --numeric-ids /home [EMAIL PROTECTED]:/mnt/backup/ Is there an option to ignore only such errors? I have read the man page over and over but i could not find anything to suit my needs. Strange clustering: two people with the same problem. Why ignore the errors? They are meaningfull unless you don't really care about whether the backups are any good. If you insist on doing it this way go to the backup server and chown the relevant file set to the account used. Then review your rsync arguments and eliminate any that are in conflict with running was a normal user: -a, -o, --numeric-ids, and probably -g -- J.W. SchultzPegasystems Technologies email address: [EMAIL PROTECTED] Remember Cernan and Schmitt -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
Ron DuFresne wrote: sure avoid all perm/user issues by making the whole server suid. seen kids do that when they tired of having to su - root on their linux systems. this command is only one line extracted from a script. Syncing of other files require root privileges one the server side, eg squid logs. The alternative would be to enable ssh for root for those particular cron jobs make sure the sshd_config is edited to disable this mischeif after the job has run and send and recieve as root on both ends, and set the proper rsync switch to retain onwers/perms . i have tried to refrain from being root on both systems. ;-) The backup machine is quite paranoid, access is restricted by firewall filtering of the MAC/IP pairs. It would be quite disappointing to allow remote root access. I am having trouble with user/group matching, too, as a consequence. -- Sayan I am currently setting up a backup script for the /home directory of a server. I send all the files on a remote machine through LAN connection using rsync to optimize bandwidth usage. The script is run as root on the server by a cron job but rsync connects to the remote machine as a normal user via an ssh key certificate. This leads to many permission denied errors, as the server side can read files (as root), but cannot create them on the receiving side. rsync -azSHe ssh --delete --numeric-ids /home [EMAIL PROTECTED]:/mnt/backup/ Is there an option to ignore only such errors? I have read the man page over and over but i could not find anything to suit my needs. -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
On Mon, Dec 22, 2003 at 10:14:05PM +0100, Sayan wrote: Ron DuFresne wrote: sure avoid all perm/user issues by making the whole server suid. seen kids do that when they tired of having to su - root on their linux systems. this command is only one line extracted from a script. Syncing of other files require root privileges one the server side, eg squid logs. The alternative would be to enable ssh for root for those particular cron jobs make sure the sshd_config is edited to disable this mischeif after the job has run and send and recieve as root on both ends, and set the proper rsync switch to retain onwers/perms . i have tried to refrain from being root on both systems. ;-) The backup machine is quite paranoid, access is restricted by firewall filtering of the MAC/IP pairs. It would be quite disappointing to allow remote root access. I am having trouble with user/group matching, too, as a consequence. It is good for a backup server to be paranoid. That is why dirvish pulls. It is much harder to be secure and push. -- Sayan I am currently setting up a backup script for the /home directory of a server. I send all the files on a remote machine through LAN connection using rsync to optimize bandwidth usage. The script is run as root on the server by a cron job but rsync connects to the remote machine as a normal user via an ssh key certificate. This leads to many permission denied errors, as the server side can read files (as root), but cannot create them on the receiving side. rsync -azSHe ssh --delete --numeric-ids /home [EMAIL PROTECTED]:/mnt/backup/ Is there an option to ignore only such errors? I have read the man page over and over but i could not find anything to suit my needs. -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html -- J.W. SchultzPegasystems Technologies email address: [EMAIL PROTECTED] Remember Cernan and Schmitt -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: getting rid of permission denied partial transfer errors
jw schultz wrote: On Mon, Dec 22, 2003 at 09:11:26PM +0100, Sayan wrote: I am currently setting up a backup script for the /home directory of a server. I send all the files on a remote machine through LAN connection using rsync to optimize bandwidth usage. The script is run as root on the server by a cron job but rsync connects to the remote machine as a normal user via an ssh key certificate. This leads to many permission denied errors, as the server side can read files (as root), but cannot create them on the receiving side. rsync -azSHe ssh --delete --numeric-ids /home [EMAIL PROTECTED]:/mnt/backup/ Is there an option to ignore only such errors? I have read the man page over and over but i could not find anything to suit my needs. Why ignore the errors? They are meaningfull unless you don't really care about whether the backups are any good. I don't care if the backups of the users' homes are not perfect. Running as root on both sides is not an option, so there has to be limits anyway. Config files and logs are much more important, and backing up of the homes is bonus. As this command is run on a daily basis by a cron job, the same errors get reported every day. That's why i am looking for a way to suppress these particular error messages. (which i find perfectly normal btw) If you insist on doing it this way go to the backup server and chown the relevant file set to the account used. Then review your rsync arguments and eliminate any that are in conflict with running was a normal user: -a, -o, --numeric-ids, and probably -g That didn't solve the problem when i tested it some time ago. One failure example is trying to send files that cannot be written : Server side : dr--r--r-- my_directory dr--r--r-- my_directory\sample_file The rsync command tries to send sample_file to the backup server, which cannot write it because it was not able to recurse into my_directory. Removing the -p switch and removing the backup file did not succeed, and rsync continued to preserve the perms even without the switch. I am running rsync 2.5.5 on debian woody/stable. i have considered stripping the command down to the barest options (recursive compress and ssh) but the errors still get reported. -- Sayan -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html