Backup Central

Hi,

I'm trying to run rsnapshot but the server being backed up does not permit
direct root login. Instead, you must first login via an unprivilidged user and
then you can become su. In this case, how do I get rsnapshot to function so
that the user it logins in with can read all files for rsnapshot to
successfully back them up?

thx,

SW

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

Hi Nathan,

You will need to find your sshd_config file (try /etc/ssh/sshd_config or
/usr/local/etc/sshd_config), and change the "PermitRootLogin" parameter.
Hopefully it was set to "no" by default. You should set it to
"without-password". An example:

# Authentication:
LoginGraceTime 600
#PermitRootLogin no
PermitRootLogin without-password
StrictModes yes

Yes, this is what I have in my /etc/ssh/sshd_config. For added security we have
only users who belong to the 'wheel' group ssh via "AllowGroups wheel". The
user I have setup belongs to the wheel group.

If you haven't already done so, you'll also need to install your SSH
public key so logins are allowed as the root user.

I have setup ssh keys but direct root login is not permitted on any of our
systems via the following security how-to:

http://www.dynamicnet.net/customer/h-sphere/security/disable_direct_root_login.htm

thx,

SW



Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html



-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

Nathan Rosenquist wrote:
I don't know of any workarounds for the root login requirement, or I
would probably recommend one as the default.

It is possible to log in as an arbitrary user from rsnapshot, but you
will only have whatever privileges are given to that user on the remote
server.

If you only want to back up a subset of your data with clearly defined
permissions (such as all web content, for example), you could simply do
your backups as an unprivileged user on the box. This is what I do to
backup my SourceForge data, and accounts on shared hosting environments
(where I don't have root). If you need to backup things that are only
accessable to root (and keep the proper ownerships, etc), you will have
to become root one way or another.

By making a small modification to the "scponly" program (
http://www.sublimation.org/scponly/ ), you can create another user in
/etc/passwd with a uid of 0, and set this user's shell to scponly. In
this way, content can be transferred back and forth, but arbitrary shell
commands can not be run. However, the author of scponly did not enable
root logins on purpose as a security feature. The reasoning is that if
you can remotely write files to a server as root, you can simply upload
a new /etc/passwd file and become root anyway. However, all the backup
programs I've seen require full access if they are to backup all files
on a machine.

Another thing some people have done is to explicitly set the rsync
command to be run at login in the authorized_keys file. This prevents
remotely invoking any other command, although you have to remember to
keep these directives in sync with your rsnapshot.conf file.

If you do use scponly, make sure to enable rsync during ./configure,
since scponly does not support it by default.

Another way would be to change the permissions on the rsync binary to
SUID root, executable only to user and group, group owned by wheel, with
no permissions to anyone else. This is slightly risky, but I'm assuming
only trusted users are on this box anyhow.

Another option is sudo. Replace your rsync binary with a shell wrapper
script that determines if user-a executes, then use sudo to run the real
binary as requested, otherwise just run the rsync binary (no sudo).

Eric



------------------------------------------------------------------------
Eric Anderson Sr. Systems Administrator Centaur Technology
A lost ounce of gold may be found, a lost moment of time never.
------------------------------------------------------------------------


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss