Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Replicate Production to DR file system with rsync

On 12/02/2010, at 7:38 PM, Tony Sceats wrote:

> I may have missed something, or maybe someone else has suggested this
> already, but why not pull instead of push?
> ie, from the machine that is the backup, connect to the master server and
> rsync that way
>  - this will mean that anything that's world readable but only writable by
> root wont be a problem (you can write locally, and read with a normal user)
>  - anything that's readable only by root, well, you'd need root to back it
> up, I don't think you can escape that.

Hi Tony,

THAT is exactly the problem, and why we need "root at both ends" (keep it clean people!).  I'm not fussed if push some data, and pull the rest, but stuff like /etc/shadow is a real pain (there are others, but this one is well known).  I'm thinking I might just use root to tar up the problem files (they aren't big) and transfer them using an unprivileged account, then get root to unpack at the destination.  Obviously the tar ball will need to be packed and dropped in a secure way at the destination (encrypted file using PKI or some such).  This would work, but it would be ugly :(

Eventually, the whole /etc/passwd and /etc/shadow problem will go away when we implement "Likewise Enterprise" to hook into our Active Directory (cough, hack, spit) which will manage all the USER accounts.  Administrators are so few and rarely turned over, we can manage those through the normal *nix tools; and eventually puppet :)

*Sigh*.  I hate the audit-season :(  Deloitte, you suck.



Attachment: smime.p7s
Description: S/MIME cryptographic signature