---------- Forwarded message ---------- From: Hal Vaughan <h...@halblog.com> Date: Sun, Sep 12, 2010 at 11:52 PM Subject: Re: Updating files in /etc Remotely (and automated) To: "Huang, Tao" <deb...@huangtao.me>
On Sep 12, 2010, at 9:33 AM, Huang, Tao wrote: > On Sun, Sep 12, 2010 at 5:15 AM, Hal Vaughan <h...@halblog.com> wrote: >> I will be working with a server on the Internet that uses rsync and is >> running Debian. I will be setting up initial /etc/rsyncd.conf and >> /etc/rsyncd.secrets files on it. But along the way, whenever a new user is >> added, they'll need to be updated. I can use ssh on this system, but, of >> course, I don't want to allow root access. >> >> I'd like to be able to have these files updated automatically when I add a >> new user to another system. I could create new copies of the files locally, >> where the users are added and use scp to copy them to a directory on the >> server. But that's where there are problems. How can I chown the files to >> root, copy them to /etc, and chmod as needed for rsync to use them >> automatically? >> >> I don't see a way to do that without security issues. I need to somehow ssh >> in and do an su or run three commands as sudo (I need to mv the file, chown >> it, and chmod it). >> >> I am far from an expert in security, but I can see that if I have anything >> in place to make this easy, then anyone hacking my user account could easily >> mess up anything in the system. >> >> Is there some way I can set this up so I can update rsyncd.conf and >> rsyncd.secrets only automatically when I have the newer versions on my local >> system to be uploaded? > > what about setting up a root cron job that scans a specific folder, > let's say /home/some/where, read the changes ( in a predefined format) > and update files in /etc. that folder can be owned by any unprivileged > user, and further checkings (such as gpg signatures verifying) can be > done in the cron script before any root file is writen. > > when new users are added, just rsync the files to /home/some/where, > and wait for the root cron script to notice the update, verify, and I don't know why I hadn't thought of that! There's one other idea someone suggested, using an automatic command with the authorized key for ssh, but I think that would still be an issue because I don't see how it would get around me typing in the password. A cron job could easily run every five or ten minutes or hour and that would still mean a new client would be up and running pretty quickly. Thanks! Hal ----End---- Ooops, i didn't mean to send u a private message. now i'm forwarding it to the list. Tao -- http://www.google.com/profiles/UniIsland -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinkg3qxmyy-ebdlitjtcdcgwbz-ky4w34cds...@mail.gmail.com
