Hello, On 15-03-15 15:12:36, Benjamin Redling wrote: > On 2015-03-15 12:40, Adam Goryachev wrote: > > On 14/03/2015 22:08, Angus Kerr wrote: > [...] > >> #Sudoers file for backuppc user to run rsync > >> > >> backuppc ALL=NOPASSWD: /usr/bin/rsync > >> > > > > Note that this will give the user root access easily enough. The user > > could create the file they want in /tmp, and then use sudo rsync to > > overwrite the target file (or copy a file they don't have read access to > > a location they do have access, including another machine). Therefore, > > this entire process is hardly worth the effort and additional complexity > [...] > > A lot of sources at least agree on that being unsafe. > AFAIK rrsync should be the proper way and justify the effort. > > e.g. http://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/
Another possibility is to run the backup once (actually, one full, one incremental) and check the logs for the rsync commands used: Mar 20 08:02:26 host sudo: backuppc : TTY=unknown ; PWD=/var/lib/backuppc ; USER=root ; COMMAND=/usr/bin/rsync --server --sender --numeric-ids --perms --owner --group -D --links --hard-links --times --block-size=2048 --recursive --checksum-seed=32761 . / Mar 23 08:06:24 host sudo: backuppc : TTY=unknown ; PWD=/var/lib/backuppc ; USER=root ; COMMAND=/usr/bin/rsync --server --sender --numeric-ids --perms --owner --group -D --links --hard-links --times --block-size=2048 --recursive --checksum-seed=32761 --ignore-times . / And then restrict the sudoers entries using the full commands, i.e. /usr/bin/rsync with all the options as per the log entries instead of just /usr/bin/rsync, which should prevent rsync being used to overwrite arbitrary files. Obviously that doesn't help against the "read and copy any files to wherever the backuppc user can copy files to", which is sometimes also called "doing a backup". ;) In addition, I'd suggest using at least the from= option for the authorized_keys entry, like for example from="<backuppc-server-ip>",no-pty,no-port-forwarding,no-agent-forwarding, no-X11-forwarding Cheers Wolfgang
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ BackupPC-users mailing list [email protected] List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
