lol, yes, that's the bit I missed :) I guess ultimately you either have to relax the permissions on the files (eg, add a new backup group, chrgrp and chmod the files), or relax the system access restrictions (eg, using sudo, as already suggested by Ken)
I wonder which would have larger implications.. I would expect setting up extremely limited sudo commands allows more flexibility in the sorts of things you can do as well as not being a pita to keep stable over upgrades and installations On Fri, Feb 12, 2010 at 7:48 PM, James Gray <ja...@gray.net.au> wrote: > > On 12/02/2010, at 7:38 PM, Tony Sceats wrote: > > > I may have missed something, or maybe someone else has suggested this > > already, but why not pull instead of push? > > > > ie, from the machine that is the backup, connect to the master server and > > rsync that way > > > > - this will mean that anything that's world readable but only writable > by > > root wont be a problem (you can write locally, and read with a normal > user) > > - anything that's readable only by root, well, you'd need root to back > it > > up, I don't think you can escape that. > > Hi Tony, > > THAT is exactly the problem, and why we need "root at both ends" (keep it > clean people!). I'm not fussed if push some data, and pull the rest, but > stuff like /etc/shadow is a real pain (there are others, but this one is > well known). I'm thinking I might just use root to tar up the problem files > (they aren't big) and transfer them using an unprivileged account, then get > root to unpack at the destination. Obviously the tar ball will need to be > packed and dropped in a secure way at the destination (encrypted file using > PKI or some such). This would work, but it would be ugly :( > > Eventually, the whole /etc/passwd and /etc/shadow problem will go away when > we implement "Likewise Enterprise" to hook into our Active Directory (cough, > hack, spit) which will manage all the USER accounts. Administrators are so > few and rarely turned over, we can manage those through the normal *nix > tools; and eventually puppet :) > > *Sigh*. I hate the audit-season :( Deloitte, you suck. > > Cheers, > > James > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html