Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 13 of 13
when you mean 'cannot do stuff that root can' what exactly do you mean? if root login is disallowed on SSHD, obviously you cannot SSH in as root you can ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Enthusiast
    Join Date
    Jun 2005
    Posts
    668

    when you mean 'cannot do stuff that root can' what exactly do you mean?

    if root login is disallowed on SSHD, obviously you cannot SSH in as root

    you can still rsync as root though,


    but someone will need a root password to do 'anything' anyway,


    I know you want another user that can 'read all the files' so you can backup over SSH, but I don't see how this is different to just using root. I guess you could create another user 'rsyncbackup' or something, that you could put into the 'root' group, but again I don't see the point.

    like I said before you're going to need a password either way, so in reality if the user needs to see all files in order to back up, no other user with root priveleges is going to be any more secure. its just exactly the same.

  2. #12
    Just Joined!
    Join Date
    Nov 2006
    Posts
    4
    No, ssh provides a mechanism to be able to login without a password (securely). But if I would let root login without a password that would pose another security risk. So, if a cracker compromises my backup server s/he could also login to my other (web) server without a password.

    Don't worry, I think I might need to change the permissions for the files I want to backup then or just let root login without a password so it can be done automatically.

    Thanks for your time anyway.

  3. #13
    Just Joined!
    Join Date
    Oct 2008
    Posts
    1
    Quote Originally Posted by geek.de.nz View Post
    No, ssh provides a mechanism to be able to login without a password (securely). But if I would let root login without a password that would pose another security risk. So, if a cracker compromises my backup server s/he could also login to my other (web) server without a password.

    Don't worry, I think I might need to change the permissions for the files I want to backup then or just let root login without a password so it can be done automatically.

    Thanks for your time anyway.
    Hi there. I want to do exactly the same thing:

    root@backuphost # rsync backup@remotehost:/etc \
    /backup/etc

    In a way that the "backup" user can only read files and not mess with anything, considering this will be a public-key/no-password login.

    I researched on this and here's what I've found up until now:

    - you can do it with ssh and forced commands; look for "validate-rsync"; I already knew this method; the problem is that it is not elegant and you have to be very careful writing the script in order to make it secure;

    - I tried ACLs; if you create a user 'backup', give him read access to / recursively and set default ACLs to / recursively also; the problem here is that umask doesn't work with default ACLs; I'm afraid it's a bad thing to change the semantics for the entire filesystem;

    - I didn't go into it, BUT I think there's an ellegant way of creating a user like this (only read access to everything) with SELinux;

    I'd appreciate any return on this.

    Felipe

  4. $spacer_open
    $spacer_close
Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •