- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Replicate Production to DR file system with rsync
- From: Tony Sceats <tony.sceats@xxxxxxxxx>
- Date: Fri, 12 Feb 2010 20:37:57 +1100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=w9J+ALLsJ9KvM4bMrS2l6Dbx+KhgfQCQpACRK7RwXBo=; b=jmNj6GtKi0wtg+lwiG/1lx1geYP4zd/ykDs8GJFGr80tcfhHAqvkLL/oQ99jHUERBg LCQgJPlLTmvjde/Kqx6ZrFSskUOPITKd4qrXzKKi1X1tVFLeJEUg1n8M5ZN6ETQgS4x0 sILGS0lTY/pQw3yj/B0SMLpakNJ1aMHg4ku3Y=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=pgiyuLCyCA3yS3pOVZpXY1qNAgEldBsDDT5Q/MMsdc/QH9GhvsrI/uNwzsk0es0OaF oW84vc+cUe4mUoCSEHKqGeRTctfFcvg9AuP0qhlv9rRQiEF8cRL7FkZlz1qM9IUZok2+ BVNPeqSxEbufmU9bx4meUGZTy8kebHbkXEXvk=
O of course running some sort of backup client/server application that
installs as root is also an option, as it will presumably have some sort of
secured access mechanisms as part of the app (I hope anyway ;)
although I don't actually know one to recommend
On Fri, Feb 12, 2010 at 8:31 PM, Tony Sceats <tony.sceats@xxxxxxxxx> wrote:
> lol, yes, that's the bit I missed :)
>
> I guess ultimately you either have to relax the permissions on the files
> (eg, add a new backup group, chrgrp and chmod the files), or relax the
> system access restrictions (eg, using sudo, as already suggested by Ken)
>
> I wonder which would have larger implications.. I would expect setting up
> extremely limited sudo commands allows more flexibility in the sorts of
> things you can do as well as not being a pita to keep stable over upgrades
> and installations
>
>
>
>
> On Fri, Feb 12, 2010 at 7:48 PM, James Gray <james@xxxxxxxxxxx> wrote:
>
>>
>> On 12/02/2010, at 7:38 PM, Tony Sceats wrote:
>>
>> > I may have missed something, or maybe someone else has suggested this
>> > already, but why not pull instead of push?
>> >
>> > ie, from the machine that is the backup, connect to the master server
>> and
>> > rsync that way
>> >
>> > - this will mean that anything that's world readable but only writable
>> by
>> > root wont be a problem (you can write locally, and read with a normal
>> user)
>> > - anything that's readable only by root, well, you'd need root to back
>> it
>> > up, I don't think you can escape that.
>>
>> Hi Tony,
>>
>> THAT is exactly the problem, and why we need "root at both ends" (keep it
>> clean people!). I'm not fussed if push some data, and pull the rest, but
>> stuff like /etc/shadow is a real pain (there are others, but this one is
>> well known). I'm thinking I might just use root to tar up the problem files
>> (they aren't big) and transfer them using an unprivileged account, then get
>> root to unpack at the destination. Obviously the tar ball will need to be
>> packed and dropped in a secure way at the destination (encrypted file using
>> PKI or some such). This would work, but it would be ugly :(
>>
>> Eventually, the whole /etc/passwd and /etc/shadow problem will go away
>> when we implement "Likewise Enterprise" to hook into our Active Directory
>> (cough, hack, spit) which will manage all the USER accounts. Administrators
>> are so few and rarely turned over, we can manage those through the normal
>> *nix tools; and eventually puppet :)
>>
>> *Sigh*. I hate the audit-season :( Deloitte, you suck.
>>
>> Cheers,
>>
>> James
>> --
>> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
>> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>>
>
>
SLUG Mailing List Archives