- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Replicate Production to DR file system with rsync
- From: Ken Foskey <kfoskey@xxxxxxxxxx>
- Date: Sat, 13 Feb 2010 11:42:08 +1100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tpg.com.au; s=alpha; t=1266021730; bh=2MXVpuECPKz7s/0MmqlQWbBMOdJYKTZLfVg6kTcsQEc=; h=X-TPG-Abuse:Subject:From:To:Content-Type:Date:Message-ID: Mime-Version; b=QDHMFvN6l/EGAEAUYNSwvW4qbFWWNpZHs3fZWxI85qSmAG7JClGpG+hMxNKeeNDho JQJKUD7Rt/o4qrnmTB1MfBzvmSpgj5+u/ljoWUNn/86yxisDhzkHPQ4xW5fut6E0Qm MVo7nVd+dyT58cmOEsHWqVZ/aLiDaSgyUiy7WX44=
On Fri, 2010-02-12 at 16:22 +1100, Jeremy Visser wrote:
> On Fri, 2010-02-12 at 15:37 +1100, Ken Foskey wrote:
> > I have done this using sudo. I write a script on the called machine,
> > sign on as my user and run the script using sudo which I authorise (very
> > specifically) to root without password.
>
> Agreed. Not only that, but you can restrict sudo to only be able to run
> certain commands -- rsync being the case in point.
>
> Something like the following oughta do the trick (assuming you have a
> group called 'backup' that the backup user is in — remove the % to make
> it refer to a user instead):
>
> %backup NOPASSWD: ALL = /usr/bin/rsync -ar server1:/vital_data/ /vital_data/
>
> (The above should enforce that rsync is only called with those
> particular parameters, if I read the sudoers man page correctly.)
I use a simpler approach and to some extent more flexible.
I create a script in a known directory, for
example /usr/sbin/run_copy.sh. I then only authorise the admin group to
run only that specific script. This keeps complicated command lines to
a minimum.
The run_copy command might for example do a tar of the specified files.
You can then pipe that tar across the link to the recipient system. I
would write another script to untar into a working set, verify the copy
somehow then install it using another script.
visudo add this line
# allow admin group to run the rsync script
%admin ALL=NOPASSWD: /usr/sbin/run_copy.sh
SLUG Mailing List Archives