On Thursday 07 February 2008 08:34:33 pm Bernd Haug wrote: > Red Mop wrote: > > The idea here is that I don't want to leave all of my computers on all > > the time. So when they boot up, or if they happen to be on, once per > > day, it creates a file on the server via ssh. The server, having > > detected this file via inotify, then immediately proceeds to backup the > > server. This cuts down on the error messages cron sends me, and also > > allows for simultaneous backups. > > Now I get you, cool. > But IMO, you kinda do that bass-ackwards. > > Why not just do the following: > > (1) [on the server] just make the user that triggers the backup via file > diddling a NOPASSWD sudoer for the exact command lines for all the > vaults (somebody else already posted how to do single vaults). > > DON'T just make the whole dirvish commands sudoable without specifying > each of the parameter sets because then any parameter may be used for > sudo, and future bugs may make you vulnerable to malicious command lines > from local logins as that user.
The file that I intend to create is named the client's hostname, and the contents is the IP(s). I don't want the client machines having the command lines on them. > (2) [on the server] write a script that takes no parameters and does > both tasks for that vault, with the sudo commands you configured. > > You don't need parameters because you can read the hostname (which > defines the vault(s) to run from the SSH_CLIENT variable. Now enforce > running that script, and that script only, in the key that allows the > user to login to the server in the first place. While you're at it, > disallow forwarding, X...maybe inhibit vt allocation. The necessary docs > for authorized_keys is in the manpage of sshd. This way you're secure > but still only need to manage one key in that place. > > For distributing a new private key in case a client gets subverted, see > capistrano or cfengine. My SSH_CLIENT variable is my IP address, not my hostname. IP addresses change, especially when I am remote, and reverse lookups don't always match hostnames. Do you use the same hostname as your broadband provider? My laptop can also have 1 of 3 IPs. One for wired, one for wireless, and one for vpn, all of which are dynamically assigned. I need to send my hostname so I know which vaults, and the IP so I know where they are to back them up. > (3) [on the clients] call that script via ssh at boot right after > starting sshd instead of just creating a file on the server. The backup > runs right then and you need neither polling nor inotify magic, which > makes it more portable; with the measures above, it should also be at > least as secure. If the client creates the file via a cron job, I don't have to worry about multiple reboots in a day. My cron daemon (fcron) handles that situation for me. > Also, please get your posting in order. Your top-posting was annoying > and you changed that; thanks. But now I see newlines between all the > lines in your posts, and I see your bottom-posts in a different font > than all the others - have you turned on HTML by mistake? If you did it > intentionally, it was still a mistake, if you catch my drift. Personally, I prefer top posts over bottom posts, as every email client I've yet seen starts at the top, and top posting lets me get right to the topic at hand, as opposed to paging down through stuff I've already read. I'll try to remember to use bottom posting for this list. I've no intention to start a flame, I'm just stating why, and I'll leave it at that. HTML was an accident. And it was only one post. > Finally, you should limit the key that allows the server to log back > into the client for backups to the exact rsync commandline that's run on > that specific machine (see the sshd logs), in the same way as you > limited the key to notify to start the backup. Good idea, thanx I also like the idea of having another 'fake' user create the files for me. Thank you for that. > Yours, Bernd > _______________________________________________ > Dirvish mailing list > [email protected] > http://www.dirvish.org/mailman/listinfo/dirvish _______________________________________________ Dirvish mailing list [email protected] http://www.dirvish.org/mailman/listinfo/dirvish
