Both sides previous revisionPrevious revision | Next revisionBoth sides next revision |
linux:rsnapshot [2006/03/30 11:38] – alien | linux:rsnapshot [2008/11/24 22:08] – Some clarifications and re-formatting. alien |
---|
* Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group. | * Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group. |
* Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code> | * Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code> |
from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa | from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa |
AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= | AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= |
rbackup@TheVault</code> | rbackup@TheVault |
* Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code> | </code> Make sure your version of **''from="192.168.200.34"''** contains the IP address of your rsnapshot server! |
#!/bin/sh | * Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code bash> |
case "$SSH_ORIGINAL_COMMAND" in | #!/bin/sh |
*\&*) | case "$SSH_ORIGINAL_COMMAND" in |
| *\&*) |
echo "Rejected 1" | echo "Rejected 1" |
;; | ;; |
*\;*) | *\;*) |
echo "Rejected 2" | echo "Rejected 2" |
;; | ;; |
$SSH_ORIGINAL_COMMAND | $SSH_ORIGINAL_COMMAND |
;; | ;; |
*true*) | *true*) |
echo $SSH_ORIGINAL_COMMAND | echo $SSH_ORIGINAL_COMMAND |
;; | ;; |
*) | *) |
echo "Rejected 3" | echo "Rejected 3" |
;; | ;; |
esac | esac |
</code> and ''chmod 754 /home/rbackup/validate-rsync.sh'' to make it executable. | </code> and run the following commands to make it executable for user ''rbackup'': <code> |
| chown rbackup /home/rbackup/validate-rsync.sh |
| chmod 754 /home/rbackup/validate-rsync.sh |
| </code> |
* Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh | * Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh |
/usr/bin/sudo /usr/bin/rsync "$@"; | /usr/bin/sudo /usr/bin/rsync "$@"; |
</code> | </code> |
* Add this line to ''/etc/sudoers'': <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code> | * Add this line to ''/etc/sudoers'' so that user ''rbackup'' can run the wrapper's ''rsync'' command with //root// privileges: <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code> |
| |