O of course running some sort of backup client/server application that installs as root is also an option, as it will presumably have some sort of secured access mechanisms as part of the app (I hope anyway ;)
although I don't actually know one to recommend On Fri, Feb 12, 2010 at 8:31 PM, Tony Sceats <[email protected]> wrote: > lol, yes, that's the bit I missed :) > > I guess ultimately you either have to relax the permissions on the files > (eg, add a new backup group, chrgrp and chmod the files), or relax the > system access restrictions (eg, using sudo, as already suggested by Ken) > > I wonder which would have larger implications.. I would expect setting up > extremely limited sudo commands allows more flexibility in the sorts of > things you can do as well as not being a pita to keep stable over upgrades > and installations > > > > > On Fri, Feb 12, 2010 at 7:48 PM, James Gray <[email protected]> wrote: > >> >> On 12/02/2010, at 7:38 PM, Tony Sceats wrote: >> >> > I may have missed something, or maybe someone else has suggested this >> > already, but why not pull instead of push? >> > >> > ie, from the machine that is the backup, connect to the master server >> and >> > rsync that way >> > >> > - this will mean that anything that's world readable but only writable >> by >> > root wont be a problem (you can write locally, and read with a normal >> user) >> > - anything that's readable only by root, well, you'd need root to back >> it >> > up, I don't think you can escape that. >> >> Hi Tony, >> >> THAT is exactly the problem, and why we need "root at both ends" (keep it >> clean people!). I'm not fussed if push some data, and pull the rest, but >> stuff like /etc/shadow is a real pain (there are others, but this one is >> well known). I'm thinking I might just use root to tar up the problem files >> (they aren't big) and transfer them using an unprivileged account, then get >> root to unpack at the destination. Obviously the tar ball will need to be >> packed and dropped in a secure way at the destination (encrypted file using >> PKI or some such). This would work, but it would be ugly :( >> >> Eventually, the whole /etc/passwd and /etc/shadow problem will go away >> when we implement "Likewise Enterprise" to hook into our Active Directory >> (cough, hack, spit) which will manage all the USER accounts. Administrators >> are so few and rarely turned over, we can manage those through the normal >> *nix tools; and eventually puppet :) >> >> *Sigh*. I hate the audit-season :( Deloitte, you suck. >> >> Cheers, >> >> James >> -- >> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ >> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >> > > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
