Find the answer to your Linux question:
Results 1 to 3 of 3
I want to create a special user that will run a script that creates a backup of the /etc directory using rsync. In order to let this user read all ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! uhcafigdc's Avatar
    Join Date
    May 2009
    Location
    East Coast USA
    Posts
    23

    Lightbulb Read only access via /etc/sudoers?


    I want to create a special user that will run a script that creates a backup of the /etc directory using rsync.

    In order to let this user read all of /etc, it needs to have some kind of sudo privilege.

    If I make an entry in the sudoers file letting the user execute rsync within the /etc directory, then this user can also write to the /etc directory with rsync, which is not good.

    Is it possible to give a user read-only access to a directory using the sudoers file? I saw a solution which restricts the user to use only /bin/cat, but I want to use rsync to make the backups.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,425
    This could be done by configuring and running rsync as a daemon.
    You would start it with root privileges, hence rsyncd has potentially full access to everywhere.
    Then you define a module for the path /etc.
    That module would be restricted to read only by configuration.
    It will also allow access for "special user".

    But imho, there are better ways than this:
    If I interpret your post correctly, then your goal is to have a script for systemconfigbackup,
    but you want a safeguard against accidentally overwritting /etc. Is that correct?

    If yes, then
    1) you might want to try one of the well established backup suites like amanda or bacula.
    2) and/or use a config management tool like puppet

    bacula if a mere backup is enough, and puppet if you want to control and maintain your machines in a programmatical way.
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Oct 2006
    Posts
    32
    For something like that I would just use acls.

    Essentially you would use setfacl to set that particular user to have 400 /etc.

    You might have to enable the acl mount option depending on the version / distro you are running.

    HTH

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •