Re: feature request: "remote user is root, make remote owner is foo"
On Wed, 2010-08-11 at 10:18 -0700, travis+ml-rs...@subspacefield.org wrote: > I often push files from my user account over SSH to my web server, and > want them owned by www-user, which may not have a login shell, should > never accept remote logins, and who may not have a ~/.ssh directory > (and if it did, it would be under the wwwroot, ack!). > > Currently I push as root and then do a chmod, but isn't there a better > way? While I'm doing this, the files are temporarily unavailable, since > they aren't readable by www-user as they exist on the local system. See the --usermap option, which is in the current development rsync and available in the "usermap.diff" maintained patch for rsync 3.0.*. -- Matt -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: feature request: "remote user is root, make remote owner is foo"
On Wed, Aug 11, 2010 at 02:51:35PM -0700, travis+ml-rs...@subspacefield.org wrote: > On Wed, Aug 11, 2010 at 01:32:42PM -0400, Brian Cuttler wrote: > [Set u+s on directories, don't worry about owners] > > It seems to work relatively well. I get an error about not being > able to chgrp the files owned by other users, and, in my case, > the group ends up wrong because it's not supposed to be the same > on both ends (www-data on destination, something else on source). > > However, because of the former problem, at least the extant files > stay readable until I can fix-up the group problem caused by the > latter. If I further chown them to www-data, then they don't get > their gid hosed the second time around. > > Not an ideal solution, but seems workable for the time being. > > Aside: chown really needs a flag that says "set GID on directories but > nothing else". Right now I do this, which is the only right thing to > do when filenames might contain anything, including whitespace or > newlines: We use a # find command to find directories and feed it to the chown action. I'd have to think about/look-up the exact syntax, but its a one line command and runs fairly quickly since you can get the find to do the file selection (find directories) rather than passing that work further down the pipe. > setperms () { >local perms="$1" >local fileperm="$2" >local dirperm="$3" >local own="$4" > >local dir > >shift 4 > >for dir in "$@" >do > if test -d "$dir" > then >find "$dir" -xdev -type d -print0 | xargs -0 --no-run-if-empty chmod > "$perms","$dirperm" -- >find "$dir" -xdev -type f -print0 | xargs -0 --no-run-if-empty chmod > "$perms","$fileperm" -- >chown -R "$own" "$dir" > fi >done > } > > setperms u=rwX,o=rX g=rwX g=rwxs owner:group /path/to/whatever > -- > A Weapon of Mass Construction > My emails do not have attachments; it's a digital signature that your mail > program doesn't understand. | http://www.subspacefield.org/~travis/ > If you are a spammer, please email j...@subspacefield.org to get blacklisted. --- Brian R Cuttler brian.cutt...@wadsworth.org Computer Systems Support(v) 518 486-1697 Wadsworth Center(f) 518 473-6384 NYS Department of HealthHelp Desk 518 473-0773 IMPORTANT NOTICE: This e-mail and any attachments may contain confidential or sensitive information which is, or may be, legally privileged or otherwise protected by law from further disclosure. It is intended only for the addressee. If you received this in error or from someone who was not authorized to send it to you, please do not distribute, copy or use it or any attachments. Please notify the sender immediately by reply e-mail and delete this from your system. Thank you for your cooperation. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: feature request: "remote user is root, make remote owner is foo"
On Wed, Aug 11, 2010 at 01:32:42PM -0400, Brian Cuttler wrote: [Set u+s on directories, don't worry about owners] It seems to work relatively well. I get an error about not being able to chgrp the files owned by other users, and, in my case, the group ends up wrong because it's not supposed to be the same on both ends (www-data on destination, something else on source). However, because of the former problem, at least the extant files stay readable until I can fix-up the group problem caused by the latter. If I further chown them to www-data, then they don't get their gid hosed the second time around. Not an ideal solution, but seems workable for the time being. Aside: chown really needs a flag that says "set GID on directories but nothing else". Right now I do this, which is the only right thing to do when filenames might contain anything, including whitespace or newlines: setperms () { local perms="$1" local fileperm="$2" local dirperm="$3" local own="$4" local dir shift 4 for dir in "$@" do if test -d "$dir" then find "$dir" -xdev -type d -print0 | xargs -0 --no-run-if-empty chmod "$perms","$dirperm" -- find "$dir" -xdev -type f -print0 | xargs -0 --no-run-if-empty chmod "$perms","$fileperm" -- chown -R "$own" "$dir" fi done } setperms u=rwX,o=rX g=rwX g=rwxs owner:group /path/to/whatever -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpqbaSRuWBh3.pgp Description: PGP signature -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: feature request: "remote user is root, make remote owner is foo"
On 08/11/10 13:18, travis+ml-rs...@subspacefield.org wrote: I often push files from my user account over SSH to my web server, and want them owned by www-user, which may not have a login shell, should never accept remote logins, and who may not have a ~/.ssh directory (and if it did, it would be under the wwwroot, ack!). This is off-topic, but I don't see a reason for having the files owned by the www user. If anything, they should only be in the www group and only group-readable. That is, unless you really want the www user to be able to write to your files. Think about a vulnerability (in apache, for instance) which would give someone the ability to act as the www user. They would then be able to change all of your site content. There's an approach that's even tighter than this that requires ACLs. Currently I push as root and then do a chmod, but isn't there a better way? While I'm doing this, the files are temporarily unavailable, since they aren't readable by www-user as they exist on the local system. I think Brian's solution is ideal. Use the setgid bit on your web directories. -Steve Polyack -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: feature request: "remote user is root, make remote owner is foo"
On Wed, Aug 11, 2010 at 01:34:44PM -0400, Brian Cuttler wrote: > As a matter of principle, SOP, we don't like to ssh/rsync as root > and generally don't allow root ssh/rsync into a box. Better/safer > to move the security stuff to a lower powered user if you can. I'm familiar with the argument. Let me give you my take on it: http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc11.9.9 Downside: Direct root logins make accountability harder - you have only the source IP to go on. Upside: You can back up the entire [file] system remotely. You can rsync stuff owned by users without valid login shells or authorized_keys. For me, I'm the only root user, and only allow key-based logins, so there's no downside. I'll look into your SGID directory idea for group ownership. PS: rsync kinda assumes when doing --preserve-uids that UIDs (or maybe it was user names) map. When they don't exist on target system, you either get "owned by destination user" (no --preserve-uids), or "owned by wrong user", both of which have drawbacks. It'd be nice to have a way to map users, but not a must-have. -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpxXcIkHOPhd.pgp Description: PGP signature -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: feature request: "remote user is root, make remote owner is foo"
Travis, We also use rsync to push our files. While there are several users with the ability to do the push, the files on the webserver host are set with su-gid bit set. No matter which of our web people push the files to the visible server the files all move to a consistent groupship that allows the other users to replace them later. You may do something similar with your setup, the webserver group being in the same group as your webmaster(s)', at least on the receiving end of things. Are files on webserver are 775 and directories 1775 and we are less concerned about the owner of the file than the group of the file. YMMV Brian On Wed, Aug 11, 2010 at 10:18:11AM -0700, travis+ml-rs...@subspacefield.org wrote: > I often push files from my user account over SSH to my web server, and > want them owned by www-user, which may not have a login shell, should > never accept remote logins, and who may not have a ~/.ssh directory > (and if it did, it would be under the wwwroot, ack!). > > Currently I push as root and then do a chmod, but isn't there a better > way? While I'm doing this, the files are temporarily unavailable, since > they aren't readable by www-user as they exist on the local system. > -- > A Weapon of Mass Construction > My emails do not have attachments; it's a digital signature that your mail > program doesn't understand. | http://www.subspacefield.org/~travis/ > If you are a spammer, please email j...@subspacefield.org to get blacklisted. > -- > Please use reply-all for most replies to avoid omitting the mailing list. > To unsubscribe or change options: > https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html --- Brian R Cuttler brian.cutt...@wadsworth.org Computer Systems Support(v) 518 486-1697 Wadsworth Center(f) 518 473-6384 NYS Department of HealthHelp Desk 518 473-0773 IMPORTANT NOTICE: This e-mail and any attachments may contain confidential or sensitive information which is, or may be, legally privileged or otherwise protected by law from further disclosure. It is intended only for the addressee. If you received this in error or from someone who was not authorized to send it to you, please do not distribute, copy or use it or any attachments. Please notify the sender immediately by reply e-mail and delete this from your system. Thank you for your cooperation. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: feature request: "remote user is root, make remote owner is foo"
Travis, As a matter of principle, SOP, we don't like to ssh/rsync as root and generally don't allow root ssh/rsync into a box. Better/safer to move the security stuff to a lower powered user if you can. On Wed, Aug 11, 2010 at 10:18:11AM -0700, travis+ml-rs...@subspacefield.org wrote: > I often push files from my user account over SSH to my web server, and > want them owned by www-user, which may not have a login shell, should > never accept remote logins, and who may not have a ~/.ssh directory > (and if it did, it would be under the wwwroot, ack!). > > Currently I push as root and then do a chmod, but isn't there a better > way? While I'm doing this, the files are temporarily unavailable, since > they aren't readable by www-user as they exist on the local system. > -- > A Weapon of Mass Construction > My emails do not have attachments; it's a digital signature that your mail > program doesn't understand. | http://www.subspacefield.org/~travis/ > If you are a spammer, please email j...@subspacefield.org to get blacklisted. > -- > Please use reply-all for most replies to avoid omitting the mailing list. > To unsubscribe or change options: > https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html --- Brian R Cuttler brian.cutt...@wadsworth.org Computer Systems Support(v) 518 486-1697 Wadsworth Center(f) 518 473-6384 NYS Department of HealthHelp Desk 518 473-0773 IMPORTANT NOTICE: This e-mail and any attachments may contain confidential or sensitive information which is, or may be, legally privileged or otherwise protected by law from further disclosure. It is intended only for the addressee. If you received this in error or from someone who was not authorized to send it to you, please do not distribute, copy or use it or any attachments. Please notify the sender immediately by reply e-mail and delete this from your system. Thank you for your cooperation. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
feature request: "remote user is root, make remote owner is foo"
I often push files from my user account over SSH to my web server, and want them owned by www-user, which may not have a login shell, should never accept remote logins, and who may not have a ~/.ssh directory (and if it did, it would be under the wwwroot, ack!). Currently I push as root and then do a chmod, but isn't there a better way? While I'm doing this, the files are temporarily unavailable, since they aren't readable by www-user as they exist on the local system. -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpDEunZZoPBe.pgp Description: PGP signature -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html