[CentOS] Howto: Extremely tight security rsync shell for backups
Lists
lists at benjamindsmith.comMon Sep 23 21:40:48 UTC 2013
- Previous message: [CentOS] Howto: Extremely tight security rsync shell for backups
- Next message: [CentOS] Howto: Extremely tight security rsync shell for backups
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 09/23/2013 01:50 PM, Les Mikesell wrote: > Is there something that convinces you that sudo is better at handling > the command restriction than sshd would be? In the context of a production server, the idea is to remove any ability from another host (EG: backup server) to run local arbitrary code or change local files. (read-only) There is one (small) benefit to not using SSHD options: Even if the account is somehow accessed locally, (eg via password prompt) it still cannot be used for anything but a read-only rsync command. And by using a (read only) script to replace the normal shell and sudo, I'm able to not only limit the command being run (in this case rsync) but also limit all options passed to it. You can disable the password on the backup account to achieve a similar effect using an SSHD option. If there's a better/simpler way to do this via SSHD option I'd love to hear about it! Thanks, -Ben
- Previous message: [CentOS] Howto: Extremely tight security rsync shell for backups
- Next message: [CentOS] Howto: Extremely tight security rsync shell for backups
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list