Results 11 to 13 of 13
when you mean 'cannot do stuff that root can' what exactly do you mean? if root login is disallowed on SSHD, obviously you cannot SSH in as root you can ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 11-10-2006 #11
- Join Date
- Jun 2005
if root login is disallowed on SSHD, obviously you cannot SSH in as root
you can still rsync as root though,
but someone will need a root password to do 'anything' anyway,
I know you want another user that can 'read all the files' so you can backup over SSH, but I don't see how this is different to just using root. I guess you could create another user 'rsyncbackup' or something, that you could put into the 'root' group, but again I don't see the point.
like I said before you're going to need a password either way, so in reality if the user needs to see all files in order to back up, no other user with root priveleges is going to be any more secure. its just exactly the same.
- 11-10-2006 #12
- Join Date
- Nov 2006
No, ssh provides a mechanism to be able to login without a password (securely). But if I would let root login without a password that would pose another security risk. So, if a cracker compromises my backup server s/he could also login to my other (web) server without a password.
Don't worry, I think I might need to change the permissions for the files I want to backup then or just let root login without a password so it can be done automatically.
Thanks for your time anyway.
- 10-20-2008 #13
- Join Date
- Oct 2008
root@backuphost # rsync backup@remotehost:/etc \
In a way that the "backup" user can only read files and not mess with anything, considering this will be a public-key/no-password login.
I researched on this and here's what I've found up until now:
- you can do it with ssh and forced commands; look for "validate-rsync"; I already knew this method; the problem is that it is not elegant and you have to be very careful writing the script in order to make it secure;
- I tried ACLs; if you create a user 'backup', give him read access to / recursively and set default ACLs to / recursively also; the problem here is that umask doesn't work with default ACLs; I'm afraid it's a bad thing to change the semantics for the entire filesystem;
- I didn't go into it, BUT I think there's an ellegant way of creating a user like this (only read access to everything) with SELinux;
I'd appreciate any return on this.