Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Replicate Production to DR file system with rsync


lol, yes, that's the bit I missed :)

I guess ultimately you either have to relax the permissions on the files
(eg, add a new backup group, chrgrp and chmod the files), or relax the
system access restrictions (eg, using sudo, as already suggested by Ken)

I wonder which would have larger implications.. I would expect setting up
extremely limited sudo commands allows more flexibility in the sorts of
things you can do as well as not being a pita to keep stable over upgrades
and installations




On Fri, Feb 12, 2010 at 7:48 PM, James Gray <james@xxxxxxxxxxx> wrote:

>
> On 12/02/2010, at 7:38 PM, Tony Sceats wrote:
>
> > I may have missed something, or maybe someone else has suggested this
> > already, but why not pull instead of push?
> >
> > ie, from the machine that is the backup, connect to the master server and
> > rsync that way
> >
> >  - this will mean that anything that's world readable but only writable
> by
> > root wont be a problem (you can write locally, and read with a normal
> user)
> >  - anything that's readable only by root, well, you'd need root to back
> it
> > up, I don't think you can escape that.
>
> Hi Tony,
>
> THAT is exactly the problem, and why we need "root at both ends" (keep it
> clean people!).  I'm not fussed if push some data, and pull the rest, but
> stuff like /etc/shadow is a real pain (there are others, but this one is
> well known).  I'm thinking I might just use root to tar up the problem files
> (they aren't big) and transfer them using an unprivileged account, then get
> root to unpack at the destination.  Obviously the tar ball will need to be
> packed and dropped in a secure way at the destination (encrypted file using
> PKI or some such).  This would work, but it would be ugly :(
>
> Eventually, the whole /etc/passwd and /etc/shadow problem will go away when
> we implement "Likewise Enterprise" to hook into our Active Directory (cough,
> hack, spit) which will manage all the USER accounts.  Administrators are so
> few and rarely turned over, we can manage those through the normal *nix
> tools; and eventually puppet :)
>
> *Sigh*.  I hate the audit-season :(  Deloitte, you suck.
>
> Cheers,
>
> James
> --
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>