Re: [OpenIndiana-discuss] Root as role vs. user and rsync
On Sun, 6 May 2012, Ignacio Marambio Catán wrote: There is one other option. Use ssh public key authentication to bypass the whole PAM/role nonsense and restrict what the user can do with the command option. See sshd(8) in its AUTHORIZED_KEYS FILE FORMAT section That is what I do. For even more security, the key triggers running a script which runs rsync in server mode over ssh using a rsync.conf configuration file specific to this purpose. If someone was to gain access to the key, they could still only read data enabled to be read using the key. I have been backing up multiple types of hosts with this strategy for four years now without a problem. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Root as role vs. user and rsync
I finally decided to take the bullet and make root a role instead of a user. All went well except for my nightly backup. I have a backup server that rsyncs my various collection of Linux, OpenIndiana, Windows, and Mac machines nightly. Without root as a user, how do I set up rsync to ssh onto the machine and retrieve the root system files on OpenIndiana? Thanks, Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Root as role vs. user and rsync
On Sun, May 6, 2012 at 2:07 PM, Gary Gendel g...@genashor.com wrote: I finally decided to take the bullet and make root a role instead of a user. All went well except for my nightly backup. I have a backup server that rsyncs my various collection of Linux, OpenIndiana, Windows, and Mac machines nightly. Without root as a user, how do I set up rsync to ssh onto the machine and retrieve the root system files on OpenIndiana? There are two ways as I see it: 1. Start rsyncd (see http://wiki.openindiana.org/oi/rsync+daemon+service+on+OpenIndiana) and set up a share for '/' which you then can rsync against. You can either do this directly over the network (unencrypted) or SSH into the machine and connect to rsyncd through localhost. 2. SSH in as dedicated unprivileged user, which then have permissions to run rsync with root permissions though sudo. This is the option I use for backups, and I have a line such as the following in the sudo configuration, which only allows the unprivileged user to retrieve files from the server, and not write files: backup ALL=NOPASSWD: /usr/bin/rsync --server --sender * -- Venlig hilsen / Kind regards Jeppe Toustrup (aka. Tenzer) ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Root as role vs. user and rsync
On 05/ 7/12 01:04 AM, Jeppe Toustrup wrote: On Sun, May 6, 2012 at 2:07 PM, Gary Gendelg...@genashor.com wrote: I finally decided to take the bullet and make root a role instead of a user. All went well except for my nightly backup. I have a backup server that rsyncs my various collection of Linux, OpenIndiana, Windows, and Mac machines nightly. Without root as a user, how do I set up rsync to ssh onto the machine and retrieve the root system files on OpenIndiana? There are two ways as I see it: 1. Start rsyncd (see http://wiki.openindiana.org/oi/rsync+daemon+service+on+OpenIndiana) and set up a share for '/' which you then can rsync against. You can either do this directly over the network (unencrypted) or SSH into the machine and connect to rsyncd through localhost. I'll second that recommendation, it is the way I rsync off anything derived from OpenSolaris. From what I've seen, this option offers the best performance. I lock the share down so only the backup server can read from it, see rsync.conf(5) for details. -- Ian. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Root as role vs. user and rsync
On 5/6/12 8:04 AM, Jeppe Toustrup openindi...@tenzer.dk wrote: 2. SSH in as dedicated unprivileged user, which then have permissions to run rsync with root permissions though sudo. This is how I do it, which also has the advantage of letting me give sudo permissions to run specific scripts that (for example) quiesce a database, snapshot the filesystem, reactivate the database, mount the snapshot, and then perform further operations on the snapshot while the database is humming along. Makes backup windows much more manageable -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com ...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!! -- Bill McKenna ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Root as role vs. user and rsync
There is one other option. Use ssh public key authentication to bypass the whole PAM/role nonsense and restrict what the user can do with the command option. See sshd(8) in its AUTHORIZED_KEYS FILE FORMAT section On Sun, May 6, 2012 at 10:37 PM, Dave Pooser dave...@pooserville.com wrote: On 5/6/12 8:04 AM, Jeppe Toustrup openindi...@tenzer.dk wrote: 2. SSH in as dedicated unprivileged user, which then have permissions to run rsync with root permissions though sudo. This is how I do it, which also has the advantage of letting me give sudo permissions to run specific scripts that (for example) quiesce a database, snapshot the filesystem, reactivate the database, mount the snapshot, and then perform further operations on the snapshot while the database is humming along. Makes backup windows much more manageable -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com ...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!! -- Bill McKenna ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss