在 2006-10-28六的 16:54 +0800,张韡武写道:
Hello. I am making up regular backup procedure of a web server (sitting in the datacenter). There are a lot of files created by www-run (uploaded by users) needs to be backed up from my office. These file permission is 600. The backup script run in my office desktop, use ssh to fetch updated files and create backup in my office.
Better English: Hello. I need to decide how to back up my web server from my office. The webserver is in the datacenter far away. Among all files that needs to be backed up, a lot of them are owned by www-run and have permission of 600, these files are uploaded by the web visitors. My idea is I can run a script in crontab, on the desktop in my office, that connects to the web server through ssh and fetch files I need to back up. This script connects to the web server as a normal user, but then the script cannot read the files web visitors uploaded (permission denied). So far I thinked about 4 methods I can solve this problem, I want to share these ideas with experienced users on the group and listen to your suggestions;)
ideas: 1. I can adjust umask so that the files created by apache has some user permission like 644 so that the back up script can use ssh to connect to the server as any user and being able to read these files;
1: I try to set proper umask so that the files uploaded by visitors automatically have permission like 644. This way my backup script do have permission to read these files.
2. I can adjust sshd permission to allow root remotely login to ssh (previous setting by our administrator is: root is not allowed for sshd, you must first login as a normal user and 'su', this is said to be more secure), and the backup script should run as 'root' on the web server, thus it can read these files belonging to www-run without necessarily have permission to do so;
2: I try to let my backup script connect to the webserver as root. The webserver forbids root login, thus I may need to configure sshd to allow root login.
3. tweak idea (2) a little bit, use 'sudo' rather then login as root to the web server.
3: I try to use 'sudu', connect to the webserver as a normal user and 'sudo' to root to fetch the files.
4. I can adjust /etc/passwd to make the login shell of www-run to be /bin/bash (was: /bin/false) so that the backup script can ssh to the web server as www-run, this it can read any file apache server can read;
4: I try to let my backup script connect to webserver as user 'www-run'. To do so I need to give www-run user login permission, by changing its login shell from /bin/false to /bin/bash.
Which method is more secure? How do you suggest me to do?
so, which idea do you think is better? Any suggestions? -- 锐业软服(国内业务) http://www.realss.cn Real SoftService http://www.realss.com 销售咨询(Sales Department): 0086 592 20 99987 (Chinese, German, English) 国际业务(International Sales): 0086 10 8460 6011 (German and English) 联系:厦门大学科技园,嘉庚二号楼6楼 邮政:厦门大学2312号信箱(邮编361005)