- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Replicate Production to DR file system with rsync
- From: Tony Sceats <tony.sceats@xxxxxxxxx>
- Date: Fri, 12 Feb 2010 20:31:01 +1100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=SIh9bvxOjJJmJayWdNkPRA/gsMAR+8+hRcfHatObtNs=; b=ZX4f7gl0TTd01nWO4RBK0hhqqMUuVshdf6jXLiqSc9gIOgTzDElfbG1cAAziuSck8F NBBnSTs8C8g+Zla3/CibS7AuA86Tj+t9rEAIpF9bI51J0gCkmS1ATsi26yuuo7HHZ/nO 6u6fcvl9Vl1zsSOhI1r4PeukHgTAOR6HN0yT0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Tj1jMJzB/hkwqXbvRq89sA41mDTiEdbWYbap40d2s0gNDPCix4O0eaRk2EScWAmpYM uJoDz+XYG+F/gvZOaaB/sIZ0eKN5DktckLzdoBmVyMmAuGlUVZAF1bjr/k1W/k1ceL2+ rQULze+Zb0J+RHx8KnkRjkbSSMeUUkCCdQIis=
lol, yes, that's the bit I missed :)
I guess ultimately you either have to relax the permissions on the files
(eg, add a new backup group, chrgrp and chmod the files), or relax the
system access restrictions (eg, using sudo, as already suggested by Ken)
I wonder which would have larger implications.. I would expect setting up
extremely limited sudo commands allows more flexibility in the sorts of
things you can do as well as not being a pita to keep stable over upgrades
and installations
On Fri, Feb 12, 2010 at 7:48 PM, James Gray <james@xxxxxxxxxxx> wrote:
>
> On 12/02/2010, at 7:38 PM, Tony Sceats wrote:
>
> > I may have missed something, or maybe someone else has suggested this
> > already, but why not pull instead of push?
> >
> > ie, from the machine that is the backup, connect to the master server and
> > rsync that way
> >
> > - this will mean that anything that's world readable but only writable
> by
> > root wont be a problem (you can write locally, and read with a normal
> user)
> > - anything that's readable only by root, well, you'd need root to back
> it
> > up, I don't think you can escape that.
>
> Hi Tony,
>
> THAT is exactly the problem, and why we need "root at both ends" (keep it
> clean people!). I'm not fussed if push some data, and pull the rest, but
> stuff like /etc/shadow is a real pain (there are others, but this one is
> well known). I'm thinking I might just use root to tar up the problem files
> (they aren't big) and transfer them using an unprivileged account, then get
> root to unpack at the destination. Obviously the tar ball will need to be
> packed and dropped in a secure way at the destination (encrypted file using
> PKI or some such). This would work, but it would be ugly :(
>
> Eventually, the whole /etc/passwd and /etc/shadow problem will go away when
> we implement "Likewise Enterprise" to hook into our Active Directory (cough,
> hack, spit) which will manage all the USER accounts. Administrators are so
> few and rarely turned over, we can manage those through the normal *nix
> tools; and eventually puppet :)
>
> *Sigh*. I hate the audit-season :( Deloitte, you suck.
>
> Cheers,
>
> James
> --
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>
SLUG Mailing List Archives