Permission issue Centos

Hello,

I'm making a rsync script that will sync two servers.. I made an account rsync and setup the ssh key so I dont need to login everytime with that account. It works except for one problem I am having, the account doesnt have access to the home directory...

What what I have to do to give this user access to the home directory and everything in it.. without changing the ownership of the folder itself?
LVL 1
Phelms215Asked:
Who is Participating?
 
arnoldConnect With a Mentor Commented:
setfacl -x user:rsync -R /home/rsync
alternatively
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`
The above will be fine as long as there aren't too many directories in /home.
The below will do an update one subdirectory at a time within /home
ls /home | grep -v rsync | while read a; do
setfacl -R -m user:rsync:rwx $a
done
0
 
PapertripCommented:
To which home directory?  A user other than rsync?

Provide 'ls -l' output of the destination please.
0
 
Phelms215Author Commented:
to every directory in the home directory.. so it can sync it to another server.


drwxrwxr-x 15 rsync   root       4096 Oct  1 13:38 ./
drwxr-xr-x 24 root    root       4096 Oct  1 13:11 ../
drwx--x--x 10 appcify appcify    4096 Sep 29 17:10 appcify/
drwx------  3 rsync   users      4096 Sep 27 10:05 beach/
drwxr-xr-x  5 rsync   root       4096 Sep 28 07:14 .cpan/
drwxr-xr-x  3 rsync   root       4096 Oct  1 04:37 .cpanm/
drwx------  4 rsync   root       4096 Oct  1 04:37 .cpcpan/
drwx------  3 rsync   root       4096 Sep 28 07:24 cpeasyapache/
drwx------ 32 rsync   root       4096 Sep 29 17:34 cpmove-phelms/
-rw-r--r--  1 rsync   root    3266560 Sep 29 17:24 cpmove-phelms.tar.gz
drwx--x--x 14 helms   helms      4096 Oct  1 10:25 helms/
drwx--x--x 10 patrick patrick    4096 Sep 25 06:09 patrick/
drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
drwx------  8 rsync   rsync      4096 Oct  1 11:45 rsync/
drwx--x--x  9 stevew  stevew     4096 Sep 29 17:32 stevew/
drwx--x--x 11 twoaces twoaces    4096 Sep 14 22:24 twoaces/

Open in new window

0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
wesly_chenCommented:
> drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
So you have a group called "users".
Add all the users to the group users
(On both machines, edit /etc/group
users:x:<gid>:phelms,rsync,stevew,twoaces,patrick,helms,appcify
)
Then as root, do
chgrp -R  users   /path-to-home-dir
chmod -R  770  /path-to-home-dir

You should be able to rsync those home directories without permission issue.
0
 
PapertripCommented:
If you don't want to change any permissions/groups/owners of the users home directories, you can achieve this by adding --rsync-path="sudo rsync" to your rsync syntax, then use visudo on the destination machine to allow user rsync to execute that command.  The problem with that is user rsync will now technically be able to rsync over a forged sudoers file, and gain complete control of the system.

If you aren't worried about user rsync being compromised on the source server, then that will suffice.  If you want more restriction and security you can achieve it with ssh keys.

Check out http://rdiff-backup.nongnu.org/old-list-archive/2002-January/000065.html
0
 
PapertripCommented:
Another decent link, worth checking out for more of the bigger picture.

http://notes.endnode.se/2009/07/restricted-backups-using-rsync/
0
 
Phelms215Author Commented:
If i add them all to users then anyone can see anyones files, the servers are public facing so i cannot comprimise security
0
 
arnoldCommented:
That is correct. setting group permissions with 7 will allow any member of the group full access.

use setfacl to grant special rights to the rsync user

setfacl -m user:rsync:rwx -R /home
-m modify the existing access rights by adding user rsync with read, write and execute rights.

This will grant additional rights to the user rsync on /home and subdirectories.
You should reapply this periodically as it often does not apply to newly created files.



0
 
Phelms215Author Commented:
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
Phelms215Author Commented:
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
PapertripCommented:
If you don't want to have to worry about setting permissions / acl's before each backup and making sure nothing changes in the meantime, check out my suggestion.
0
 
PapertripCommented:
No offense to Wesley or Arnold, because both of their answers are technically correct, but I don't believe they are the correct approach to this particular situation.

If you setfacl -R home before every scheduled backup, you have to take a few things into consideration, but they can basically be summarized into a single comment -- Any data that is new or modified from the time you issue setfacl at the start of the backup will not be included in that backup.

What if /home was 1TB for example?  A lot can happen to the contents of /home during the time it will take to get all that data to the remote server.  Of course that can be applied to any size and depends on the frequency of changes, but the chances of you getting a complete backup decrease as size of the source increases.
0
 
Phelms215Author Commented:
@Papertrip

I understand your concern about the issue with files being updated but I am not too worried about this.. as the amount of data that needs to run is simply not enough to worry and its update freq is not to be alarmed..

the sites that are being hosted on the boxes are already in load balancing I currently just manually update the files during patches.. so if I said "30 minutes for replication to be 100%" i wouldnt worry about that at all..

but I do have one question for you or maybe arnold can help..

with the setfacl -m user:rsync:rwx -R /home command is there a way I could exclude the /home/rsync folder from this? I exclude it in the rsync and it messes up permissions for my ssh key.. and i really don't wanna have to play with a chmod right before the replication that would just get too messy for me..
0
 
Phelms215Author Commented:
Problem!

So I ran that command you gave me
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`

and for some reason it was running throughout the entire filesystem?!!?! and when I rebooted my server sshd didnt even start and mysql wont start either..

MySQL manager or server PID file could not be found!       [FAILED]
Starting MySQL.Manager of pid-file quit without updating fi[FAILED]
0
 
arnoldCommented:
Unless there was a typo in what you entered, there should not have been any reason why setfacl would run against the entire file system.
what is returned when you run ls -la /home | grep -v rsync?
find -H /home  -type l -ls
The above will output all symbolic links that exist in the /home directory
run
getfacl / to see whether you altered the settings on

setfacl -R -x user:rsync will remove the extra setting set before with setfacl.


ls / | while read a; do
echo "$a"
getfacl $a
echo "---------"
done

The above will display the settings in the top / directories.



0
All Courses

From novice to tech pro — start learning today.