[Dirvish] Dirvish and sudo
lueyb at jilau1.colorado.edu
Thu Jun 30 21:49:12 UTC 2005
Setting up Dirvish with sudo turns out to be pretty straight-forward, and
below is a quick description of how to do it. I'd appreciate any comments
on this approach and its security, etc.
Add the following line into the master.conf on the backup machine:
On the computer to be backed up, create the script
/usr/local/bin/rsync-new with content:
sudo /usr/bin/rsync $*
Now when dirvish runs on the backup machine, it connects to the machine to
be backed-up up with ssh/rsync (as user dirvish is this example), but runs
"sudo rsync" instead of rsync on the remote machine.
Sudoers has to be setup on the machine to be backup-ed. One could just add
dirvish ALL = NOPASSWD: /usr/bin/rsync
(assuming you log in as user dirvish). But then if a hacker broke in as
user dirvish, they could overwrite /etc/shadow with a simple rsync
command. I have the line:
dirvish ALL = NOPASSWD: /usr/bin/rsync --server --sender -vlHogDtprx
--numeric-ids . $DIRECTORY_TO_BACKUP
which is much more restrictive and I think more secure. You need a line
for every vault that you are backing up. Also if your configuration of
dirvish is different, the options might be a little different.
Subsequently, if you change dirvish options, sudo might stop rejecting
dirvish's sudo rsync line. You can add the line:
to rsync-new script to see what options dirvish is passing to rsync and
adjust /etc/sudoers accordingly. Maybe someone has clever way to restrict
rsync access to divish but give a little more flexibility in terms of
options passed, etc.
> Hi Ben, et al.
> I've been wanting to do that on one of the boxes here, however, I have
> had enough time to test it. However, what I am doing is using SSH keys
and preventing root logins without a key. I used the instructions found
here, for the most part: http://www.jdmz.net/ssh/
> Although it isn't a perfect solution, I would prefer sudo, it is a whole
bunch better than loosing the primary backup server and the whole farm.
> If you do get this working, please let us know, as I suspect this may be
one turn off's for may people wanting to use this backup package. I
especially was nervous about allowing root connections to my primary
server, even key'd ones.
> James Clendenan
> Ben Luey said:
>> Has anyone setup dirvish with sudo? I'd like the dirvish backup server to
>> login to the main server as a non-root user, and execute commands as root
>> using sudo? What's the best way to have dirvish add the word "sudo" to
every remote command it executes?
>> Ben Luey
>> lueyb at jilau1.colorado.edu
>> Dirvish mailing list
>> Dirvish at dirvish.org
> Information Technology Officer 2005
> Queen's University Engineering Society
> E-mail: mangler at engsoc.queensu.ca
> Dirvish mailing list
> Dirvish at dirvish.org
lueyb at jilau1.colorado.edu
More information about the Dirvish