Re: Howto: Extremely tight security rsync shell for backups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 09/23/2013 01:50 PM, Les Mikesell wrote:
> Is there something that convinces you that sudo is better at handling
> the command restriction than sshd would be?

In the context of a production server, the idea is to remove any ability 
from another host (EG: backup server) to run local arbitrary code or 
change local files. (read-only)

There is one (small) benefit to not using SSHD options: Even if the 
account is somehow accessed locally, (eg via password prompt) it still 
cannot be used for anything but a read-only rsync command. And by using 
a (read only) script to replace the normal shell and sudo, I'm able to 
not only limit the command being run (in this case rsync) but also limit 
all options passed to it.

You can disable the password on the backup account to achieve a similar 
effect using an SSHD option. If there's a better/simpler way to do this 
via SSHD option I'd love to hear about it!

Thanks,

-Ben
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux