Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
linux:rsnapshot [2006/03/21 12:28] – alien | linux:rsnapshot [2008/11/24 22:08] – Some clarifications and re-formatting. alien |
---|
| |
Good example docs about how to set this up are:\\ | Good example docs about how to set this up are:\\ |
http://blog.innerewut.de/articles/2005/05/25/remote-filesystem-snapshots-with-rsnapshot | http://blog.innerewut.de/articles/2005/05/25/remote-filesystem-snapshots-with-rsnapshot |
and it's follow-up article:\\ | and it's follow-up article:\\ |
http://blog.innerewut.de/articles/2005/06/03/follow-up-on-remote-filesystem-snapshots-with-rsnapshot | http://blog.innerewut.de/articles/2005/06/03/follow-up-on-remote-filesystem-snapshots-with-rsnapshot |
as well as some improvements to this:\\ | as well as some improvements to this:\\ |
http://sourceforge.net/mailarchive/forum.php?thread_id=8991705&forum_id=41320 | http://sourceforge.net/mailarchive/forum.php?thread_id=8991705&forum_id=41320 |
| |
| |
local# ssh remote-server | local# ssh remote-server |
; you might have to create the directory ~/.ssh if it doesnt exist: | ; you might have to create the directory ~/.ssh if it doesnt exist: |
; "chmod 600 ~/.ssh ; chown rbackup ~/.ssh" | ; "chmod 700 ~/.ssh ; chown rbackup ~/.ssh" |
; if you don't get the permissions on ~/.ssh and ~/.ssh/authorized_keys right, | ; if you don't get the permissions on ~/.ssh and ~/.ssh/authorized_keys right, |
; passwordless login will FAIL! | ; passwordless login will FAIL! |
* Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group. | * Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group. |
* Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code> | * Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code> |
from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa | from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa |
AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= | AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= |
rbackup@TheVault</code> | rbackup@TheVault |
* Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code> | </code> Make sure your version of **''from="192.168.200.34"''** contains the IP address of your rsnapshot server! |
#!/bin/sh | * Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code bash> |
case "$SSH_ORIGINAL_COMMAND" in | #!/bin/sh |
*\&*) | case "$SSH_ORIGINAL_COMMAND" in |
| *\&*) |
echo "Rejected 1" | echo "Rejected 1" |
;; | ;; |
*\;*) | *\;*) |
echo "Rejected 2" | echo "Rejected 2" |
;; | ;; |
$SSH_ORIGINAL_COMMAND | $SSH_ORIGINAL_COMMAND |
;; | ;; |
*true*) | *true*) |
echo $SSH_ORIGINAL_COMMAND | echo $SSH_ORIGINAL_COMMAND |
;; | ;; |
*) | *) |
echo "Rejected 3" | echo "Rejected 3" |
;; | ;; |
esac | esac |
</code> and ''chmod 754 /home/rbackup/validate-rsync.sh'' to make it executable. | </code> and run the following commands to make it executable for user ''rbackup'': <code> |
| chown rbackup /home/rbackup/validate-rsync.sh |
| chmod 754 /home/rbackup/validate-rsync.sh |
| </code> |
* Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh | * Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh |
/usr/bin/sudo /usr/bin/rsync "$@"; | /usr/bin/sudo /usr/bin/rsync "$@"; |
</code> | </code> |
* Add this line to ''/etc/sudoers'': <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code> | * Add this line to ''/etc/sudoers'' so that user ''rbackup'' can run the wrapper's ''rsync'' command with //root// privileges: <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code> |
| |