* Stefan Seyfried wrote on Tue, Jul 22, 2003 at 13:45 +0200:
On Mon, Jul 21, 2003 at 09:15:07AM +0200, Steffen Dettmer wrote:
You do "client push" of files for backup (instead server poll),
no, i do server poll, since my backup server accesses the clients through a masquerading router -> no way back :-)
But you connect to root to make sure to read all files? Or do you connect to some unpriviledged user?
if ( $line =~ m#^/usr/bin/rsync --server --sender # ) { # this regexp will need tweaking to handle unusual # (but legal) characters in paths. eg: [_\.] ($safeline=$line) =~ s|[^\w\s\d\-\/\.]||g;
Here you just have to get the path passed by commandline, so it is not problem of course.
i put this in /root/bin/rsync_wrapper, my authorized_keys is like this:
command="bin/rsync_wrapper",no-pty,no-port-forwarding,no-agent-forwarding ssh-dss AAA...
probably with some from="" and so on, quite clear.
this is all on the "client machine", the one which is backed up. On the server, it is important to call rsync with the "--rsync-path="-Option, otherwise, the $SSH_ORIGINAL_COMMAND will be "rsync --server --sender..." and not "/usr/bin/rsync --server --sender..." So you have to do (on the server) "rsync --rsync-path=/usr/bin/rsync -e ssh ..."
If you don't trust the PATH, or in which case?
If you are really paranoid,
I'm not only asking for paranoia but als for practical expiriences. I use a server poll approach on one system with a few hosts also, but but manual trigger only, because not-password protected SSH keys for root are not a perfect thing. The rsync --server --sender can be used to write to the system also I guess? Or just r/o? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.