Solved

Permission issue Centos

Posted on 2011-10-01
15
359 Views
Last Modified: 2012-08-13
Hello,

I'm making a rsync script that will sync two servers.. I made an account rsync and setup the ssh key so I dont need to login everytime with that account. It works except for one problem I am having, the account doesnt have access to the home directory...

What what I have to do to give this user access to the home directory and everything in it.. without changing the ownership of the folder itself?
0
Comment
Question by:Phelms215
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897467
To which home directory?  A user other than rsync?

Provide 'ls -l' output of the destination please.
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897515
to every directory in the home directory.. so it can sync it to another server.


drwxrwxr-x 15 rsync   root       4096 Oct  1 13:38 ./
drwxr-xr-x 24 root    root       4096 Oct  1 13:11 ../
drwx--x--x 10 appcify appcify    4096 Sep 29 17:10 appcify/
drwx------  3 rsync   users      4096 Sep 27 10:05 beach/
drwxr-xr-x  5 rsync   root       4096 Sep 28 07:14 .cpan/
drwxr-xr-x  3 rsync   root       4096 Oct  1 04:37 .cpanm/
drwx------  4 rsync   root       4096 Oct  1 04:37 .cpcpan/
drwx------  3 rsync   root       4096 Sep 28 07:24 cpeasyapache/
drwx------ 32 rsync   root       4096 Sep 29 17:34 cpmove-phelms/
-rw-r--r--  1 rsync   root    3266560 Sep 29 17:24 cpmove-phelms.tar.gz
drwx--x--x 14 helms   helms      4096 Oct  1 10:25 helms/
drwx--x--x 10 patrick patrick    4096 Sep 25 06:09 patrick/
drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
drwx------  8 rsync   rsync      4096 Oct  1 11:45 rsync/
drwx--x--x  9 stevew  stevew     4096 Sep 29 17:32 stevew/
drwx--x--x 11 twoaces twoaces    4096 Sep 14 22:24 twoaces/

Open in new window

0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36897598
> drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
So you have a group called "users".
Add all the users to the group users
(On both machines, edit /etc/group
users:x:<gid>:phelms,rsync,stevew,twoaces,patrick,helms,appcify
)
Then as root, do
chgrp -R  users   /path-to-home-dir
chmod -R  770  /path-to-home-dir

You should be able to rsync those home directories without permission issue.
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 
LVL 21

Expert Comment

by:Papertrip
ID: 36897601
If you don't want to change any permissions/groups/owners of the users home directories, you can achieve this by adding --rsync-path="sudo rsync" to your rsync syntax, then use visudo on the destination machine to allow user rsync to execute that command.  The problem with that is user rsync will now technically be able to rsync over a forged sudoers file, and gain complete control of the system.

If you aren't worried about user rsync being compromised on the source server, then that will suffice.  If you want more restriction and security you can achieve it with ssh keys.

Check out http://rdiff-backup.nongnu.org/old-list-archive/2002-January/000065.html
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897614
Another decent link, worth checking out for more of the bigger picture.

http://notes.endnode.se/2009/07/restricted-backups-using-rsync/
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897620
If i add them all to users then anyone can see anyones files, the servers are public facing so i cannot comprimise security
0
 
LVL 78

Expert Comment

by:arnold
ID: 36897730
That is correct. setting group permissions with 7 will allow any member of the group full access.

use setfacl to grant special rights to the rsync user

setfacl -m user:rsync:rwx -R /home
-m modify the existing access rights by adding user rsync with read, write and execute rights.

This will grant additional rights to the user rsync on /home and subdirectories.
You should reapply this periodically as it often does not apply to newly created files.



0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897816
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897817
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897824
If you don't want to have to worry about setting permissions / acl's before each backup and making sure nothing changes in the meantime, check out my suggestion.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897862
No offense to Wesley or Arnold, because both of their answers are technically correct, but I don't believe they are the correct approach to this particular situation.

If you setfacl -R home before every scheduled backup, you have to take a few things into consideration, but they can basically be summarized into a single comment -- Any data that is new or modified from the time you issue setfacl at the start of the backup will not be included in that backup.

What if /home was 1TB for example?  A lot can happen to the contents of /home during the time it will take to get all that data to the remote server.  Of course that can be applied to any size and depends on the frequency of changes, but the chances of you getting a complete backup decrease as size of the source increases.
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36901584
@Papertrip

I understand your concern about the issue with files being updated but I am not too worried about this.. as the amount of data that needs to run is simply not enough to worry and its update freq is not to be alarmed..

the sites that are being hosted on the boxes are already in load balancing I currently just manually update the files during patches.. so if I said "30 minutes for replication to be 100%" i wouldnt worry about that at all..

but I do have one question for you or maybe arnold can help..

with the setfacl -m user:rsync:rwx -R /home command is there a way I could exclude the /home/rsync folder from this? I exclude it in the rsync and it messes up permissions for my ssh key.. and i really don't wanna have to play with a chmod right before the replication that would just get too messy for me..
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 36903347
setfacl -x user:rsync -R /home/rsync
alternatively
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`
The above will be fine as long as there aren't too many directories in /home.
The below will do an update one subdirectory at a time within /home
ls /home | grep -v rsync | while read a; do
setfacl -R -m user:rsync:rwx $a
done
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36909168
Problem!

So I ran that command you gave me
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`

and for some reason it was running throughout the entire filesystem?!!?! and when I rebooted my server sshd didnt even start and mysql wont start either..

MySQL manager or server PID file could not be found!       [FAILED]
Starting MySQL.Manager of pid-file quit without updating fi[FAILED]
0
 
LVL 78

Expert Comment

by:arnold
ID: 36910275
Unless there was a typo in what you entered, there should not have been any reason why setfacl would run against the entire file system.
what is returned when you run ls -la /home | grep -v rsync?
find -H /home  -type l -ls
The above will output all symbolic links that exist in the /home directory
run
getfacl / to see whether you altered the settings on

setfacl -R -x user:rsync will remove the extra setting set before with setfacl.


ls / | while read a; do
echo "$a"
getfacl $a
echo "---------"
done

The above will display the settings in the top / directories.



0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Apache module 5 87
SSSD - Automatic kerberos ticket initialization 1 39
How to set up WAMP on a windows 8.1 IIS machine 14 49
SSL on Apache 2... config file 1 33
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question