Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Replicate Production to DR file system with rsync

O of course running some sort of backup client/server application that
installs as root is also an option, as it will presumably have some sort of
secured access mechanisms as part of the app (I hope anyway ;)

although I don't actually know one to recommend

On Fri, Feb 12, 2010 at 8:31 PM, Tony Sceats <tony.sceats@xxxxxxxxx> wrote:

> lol, yes, that's the bit I missed :)
> I guess ultimately you either have to relax the permissions on the files
> (eg, add a new backup group, chrgrp and chmod the files), or relax the
> system access restrictions (eg, using sudo, as already suggested by Ken)
> I wonder which would have larger implications.. I would expect setting up
> extremely limited sudo commands allows more flexibility in the sorts of
> things you can do as well as not being a pita to keep stable over upgrades
> and installations
> On Fri, Feb 12, 2010 at 7:48 PM, James Gray <james@xxxxxxxxxxx> wrote:
>> On 12/02/2010, at 7:38 PM, Tony Sceats wrote:
>> > I may have missed something, or maybe someone else has suggested this
>> > already, but why not pull instead of push?
>> >
>> > ie, from the machine that is the backup, connect to the master server
>> and
>> > rsync that way
>> >
>> >  - this will mean that anything that's world readable but only writable
>> by
>> > root wont be a problem (you can write locally, and read with a normal
>> user)
>> >  - anything that's readable only by root, well, you'd need root to back
>> it
>> > up, I don't think you can escape that.
>> Hi Tony,
>> THAT is exactly the problem, and why we need "root at both ends" (keep it
>> clean people!).  I'm not fussed if push some data, and pull the rest, but
>> stuff like /etc/shadow is a real pain (there are others, but this one is
>> well known).  I'm thinking I might just use root to tar up the problem files
>> (they aren't big) and transfer them using an unprivileged account, then get
>> root to unpack at the destination.  Obviously the tar ball will need to be
>> packed and dropped in a secure way at the destination (encrypted file using
>> PKI or some such).  This would work, but it would be ugly :(
>> Eventually, the whole /etc/passwd and /etc/shadow problem will go away
>> when we implement "Likewise Enterprise" to hook into our Active Directory
>> (cough, hack, spit) which will manage all the USER accounts.  Administrators
>> are so few and rarely turned over, we can manage those through the normal
>> *nix tools; and eventually puppet :)
>> *Sigh*.  I hate the audit-season :(  Deloitte, you suck.
>> Cheers,
>> James
>> --
>> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
>> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html