Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After lots of hardware and network failures I get to the conclusion that I need to find out some good solution to backup my mail and web services.
My first try was copying things and archive them to a backup server which is on a separate network (ISP failure cases). Finally that scenario didn't work that well.
After this I found some information about rsync and it seems to me that it can be a good solution.
I need to backup emails > two directories /var/spool/mail and /imap. (for example)
It works with rsync very well: rsync -a --size-only /imap/* rmhost:/imap. But when I try to make it automatically by script I get into a little "situation".
I use the public/private key by ssh for no-password connection. There is a warning about the use of it. The very simplest way is to run the rsync as root for me.
rsync -a --size-only /home/* rmhost:/home
It updates the home of every user on the backup. As in warning with ssh keys it is not a good idea to use keys for root. So I need to run it as some other user (syncer for example) but this user won't be able to access all user directories on the MASTER server. It also won't be able access them on backup.
Is there any "nice" way to manage this problem?
I was thinking about that I can save the ownership of files, change it to syncer before I rsync it with the remote directory and then recover the user ownership of files.
Is this a good idea?
Last edited by hua; 03-01-2011 at 09:41 AM.
Click here to see the post LQ members have rated as the most helpful post in this thread.
PermitRoot in sshd_config allows yes, no, and without-password. without-password only allows keys to be used. this is not a huge security problem in most cases but it certainly depends on the network design that it is being deployed in.
the other option for rsync as root to preserve permissions and backup everything.
this requires ntp to be set up to work correctly as time is a major concern for this to work properly.
to help explain it i will call one server mail and one server backup.
on both servers set up a backup user and configure keys for the backup user.
on the mail server write a cron that checks for a certain file in a backup user writable location. e.g. /tmp/.backupstart
this script checks for the .backupstart file and changes sshd to permitroot without-password and restarts sshd then sleeps for 3-5 minutes then changes the config back to permitroot no and restarts sshd again
on the backup server there are 2 scripts.
one script will ssh to the mail server and touch the .backupstart script and then exit
the other will be the script run as root that starts the backup over ssh with root keys in that 3-5 minute period. this is why the NTP is so important in this case. timing must be perfect.
In a real-world environment the backup server would be placed on a out-of-band network only that is not accessible to the world.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.