On Tue, Sep 19, 2006 at 10:56:59AM -0500, Richard Geoffrion ([EMAIL PROTECTED]) wrote: > Ken, what if the root login was restricted to only the backup > server...with no ssh login allowed on the backup server?
On Tue, Sep 19, 2006 at 12:30:18PM -0600, Ken Dyke wrote: > They are bean-counters. I tried to explain to the that root access was > with ssh-keys only but that was not good enough, mainly because that did > not understand what I was talking about. They still ask for Lennox > anti-virus. I have been getting the buyoff on that one because I use > clamAV on our mail server. > > Sorry. The short answer is no. No, ssh [EMAIL PROTECTED] logins. Untested, Half Baked Idea: Make a user account on the client called "backup", with UID/GID 0 . Give it an alternate home directory, restricted shell and environment so it can only run rsync (but still reach the files it needs to back up, perhaps via some symlinks. Invoke it with: rsh: ssh -l backup in the VAULT/dirvish/default.conf file for the client involved, or globally in master.conf . If that meets the legal requirements, it should also work for the bean-counters. It is, after all, not "root" ;-) And perhaps that would be a good idea anyway, as it restricts the mischief that dirvish can do. Let us know how that works. Keith PS - on a related note, is it possible to safely mount the same Linux file system twice, once the normal way and the second time read-only on a different mount point? I have done this accidentally, but I unmounted immediately when I discovered the error, so I do not know if the files and metadata stay synchronized between the two mounts. If this does work, then rsync from a separate read-only mount might be even safer, and more in keeping with the spirit of Sarbanes Oxley. -- Keith Lofstrom [EMAIL PROTECTED] Voice (503)-520-1993 KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon" Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs _______________________________________________ Dirvish mailing list [email protected] http://www.dirvish.org/mailman/listinfo/dirvish
