Le mardi 29 juillet 2008, Mike Zanker a écrit : > On 29/07/08 15:58, mirror-maintainer at mirror.averse.net wrote: > > Your rsync user - don't run rsync as root! And don't run it as your > > web/ftp service account either. > > I can understand not running rsync in daemon mode as root but what is > the problem with running the rsync client as root? There is many reasons: 1) do you use your computer for regular action as root ? 2) rsync can have bug, and it is dedicated to massively create or removing files, isn't safer to run it as normal user just in case ? 3) on the remote tree, the sys admin can create setuid executable, devices files etc... with permissions of it own choice. All those files will be nicelly synch to your server with their permission. Running it as regular user will deny creation of device files, and in worst case give to a runnable as this user setuid executable, but in all case, not setuid over root. 4) rsync run as root can keep UID/GID as is, w/o checking who are the user with these UID/GID on your own system, which can give permission to someone untrusted on your side to modify/delete the mirror. Finally: 5) spliting action through several _normal_ user can limit breakage in case security hole in one of all those services. Best regards. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20080729/42508276/attachment-0004.sig>