On Sep 12, 2010, at 12:37 PM, Rob Owens wrote: > On Sun, Sep 12, 2010 at 12:01:26PM -0400, Hal Vaughan wrote: >> >> On Sep 12, 2010, at 10:51 AM, Rob Owens wrote: >> >>> On Sat, Sep 11, 2010 at 05:15:50PM -0400, Hal Vaughan wrote: >>>> I will be working with a server on the Internet that uses rsync and is >>>> running Debian. I will be setting up initial /etc/rsyncd.conf and >>>> /etc/rsyncd.secrets files on it. But along the way, whenever a new user >>>> is added, they'll need to be updated. I can use ssh on this system, but, >>>> of course, I don't want to allow root access. >>>> >>>> I'd like to be able to have these files updated automatically when I add a >>>> new user to another system. I could create new copies of the files >>>> locally, where the users are added and use scp to copy them to a directory >>>> on the server. But that's where there are problems. How can I chown the >>>> files to root, copy them to /etc, and chmod as needed for rsync to use >>>> them automatically? >>>> >>>> I don't see a way to do that without security issues. I need to somehow >>>> ssh in and do an su or run three commands as sudo (I need to mv the file, >>>> chown it, and chmod it). >>>> >>>> I am far from an expert in security, but I can see that if I have anything >>>> in place to make this easy, then anyone hacking my user account could >>>> easily mess up anything in the system. >>>> >>>> Is there some way I can set this up so I can update rsyncd.conf and >>>> rsyncd.secrets only automatically when I have the newer versions on my >>>> local system to be uploaded? >>>> >>>> >>> When using ssh keys to log in, you can specify (in >>> ~/.ssh/authorized_keys) a command which will automatically run when that >>> key is used to log in. And that key will be useless to do anything >>> else. Simply using that key to conenct to the remote server will run >>> that command. >>> >>> The authorized_keys file would look something like this: >>> >>> command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... m...@myhost >> >> I see. That would make perfect sense and I see I can use -i to specify >> which key to use, so for normal situations, I just use "ssh host," and when >> I want this done, I do "ssh -i .ssh/special_key host" instead. >> >> I thought I knew about authorized keys, but didn't know you could specify a >> command to be run in that file. >> >>> You could use this to ssh into the remote server as root, or as a user >>> with very specify sudo privileges that will allow your script to run. >>> (The script would perform the file changes you need done, or simply >>> rsync them from your local machine). >> >> But if I'm not running as root, from what I can see, no matter what I do >> with sudo, I still have to type in a password, don't I? using the >> authorized_keys file and specifying what can be done at login does a lot to >> help with security, but if I don't log in as root, no matter what I do, I'll >> still have to type in a password to use either "su" or "sudo," right? Or is >> there a way around it? I was going through man pages, but it seems both >> require a password to be typed in no matter what. >> > In /etc/sudoers, you can specify "NOPASSWD", like this: > > someuser ALL=NOPASSWD: /path/to/some/command > > Then "someuser" can run the specified command as root without typing a > password.
My bad, in this case. I read the SUDO man page over a few times, but forgot to read SUDOERS man page. Thanks! Hal -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/dd0542fe-3b19-4d26-a129-b03d831b0...@halblog.com
