From: Martin Hansen <mah_list1@cf...> - 2006-06-26 08:10:05
man, 19 06 2006 kl. 13:46 -0400, skrev Rick DeNatale:
> The problem with both this suggestion, AND the script given on the
> page is that although it works for backup it fails for restore.
No, of course you have to put two lines in the sudoers file, if ypu take
as many details as I, one for the backup command and one for the restore=20
command in my sudoers it says:
backuppc ALL=3DNOPASSWD: /usr/bin/rsync --server --sender --numeric-ids --p=
erms --owner --group -D --links --times --block-size=3D2048 --recursive *
backuppc ALL=3DNOPASSWD: /usr/bin/rsync --server --numeric-ids --perms --ow=
ner --group -D --links --times --block-size=3D2048 *
You can also set only one line to=20
backuppc ALL=3DNOPASSWD: /usr/bin/rsync --server *
as this will match both cases, but i prefer to restrict as much as
possible, and use the two line solution
> > I wonder how many people test their backup setup without testing
> > restore?
Don't know. I did!
> > The way I do this is to use a script which contains
> > exex /usr/bin/rsync $*
> > which passes the arguments from the configuration in the backuppc
> > server. This script is only writable by it's owner which is the user
> > backuppcclient.
> > I then setup my /etc/sudoers on the backuppc client host to only
> > the backuppcclient user to execute that ONE script as root.
I think you are missing the point, there are no really difference
between executing your scriipt and the command directly, as an evil user
from the backuppc, getting access as the backuppcclient user, i can
invoke the rsync with the parameters I want, and there by getting r/w
access to all the files i want. And there by compromising the machine.
Med venlig hilsen/mojn/regards
Center for Software Innovation
Stenager 2, DK-6400 S=F8nderborg, Web: http://www.cfsi.dk