Re: Howto: Extremely tight security rsync shell for backups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Lists wrote:
> We've been using rsync since forever to back up all our servers and it's
> worked without a problem. But in a recent security review, we noted that
> our specific rsync backup host is using root keys to access the server,
> meaning that if the keys on the backup server were leaked/compromised in
> any fashion, that would provide r00t access to the servers being backed
> up.
>
> Since this doesn't seem to be readily documented, I thought I'd provide
> it to the community.
>
> After some playing around, we've found it is possible to set up
> rsync/ssh so that the connecting server can ONLY run rsync with a
> predetermined set of options.
<snip>
Yup. What we do is have keys for a specific program (in house written)
that is called via crontab, and the keys for the backup server is *only*
on the servers that are backed up by that system, and there's an in-house
written script that restricts what that program can do. It does have to
run as root, though, on both, to preserve ownership of home and project
directories, etc.

        mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux