[CentOS] Howto: Extremely tight security rsync shell for backups
Lists
lists at benjamindsmith.com
Mon Sep 23 20:26:35 UTC 2013
On 09/23/2013 01:02 PM, m.roth at 5-cent.us wrote:
> It does have to
> run as root, though, on both, to preserve ownership of home and project
> directories, etc.
Depending on how you interpret this statement, my documented process may
present a (mild) improvement.
It has the backup account on the public server being a non-priviliged
account only able to run a (tightly controlled) shell script which
contains the sudo call. In this way, even if the backup account is
compromised, it can't be used to "take down" the web server, only
provide access to the data. Technically, the rsync command *is* being
run as (sudo) root, but nothing else is, and the backup account has no
ability to change the parameters of the rsync account.
More information about the CentOS
mailing list