Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Permission issue Centos

Posted on 2011-10-01
15
Medium Priority
?
364 Views
Last Modified: 2012-08-13
Hello,

I'm making a rsync script that will sync two servers.. I made an account rsync and setup the ssh key so I dont need to login everytime with that account. It works except for one problem I am having, the account doesnt have access to the home directory...

What what I have to do to give this user access to the home directory and everything in it.. without changing the ownership of the folder itself?
0
Comment
Question by:Phelms215
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897467
To which home directory?  A user other than rsync?

Provide 'ls -l' output of the destination please.
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897515
to every directory in the home directory.. so it can sync it to another server.


drwxrwxr-x 15 rsync   root       4096 Oct  1 13:38 ./
drwxr-xr-x 24 root    root       4096 Oct  1 13:11 ../
drwx--x--x 10 appcify appcify    4096 Sep 29 17:10 appcify/
drwx------  3 rsync   users      4096 Sep 27 10:05 beach/
drwxr-xr-x  5 rsync   root       4096 Sep 28 07:14 .cpan/
drwxr-xr-x  3 rsync   root       4096 Oct  1 04:37 .cpanm/
drwx------  4 rsync   root       4096 Oct  1 04:37 .cpcpan/
drwx------  3 rsync   root       4096 Sep 28 07:24 cpeasyapache/
drwx------ 32 rsync   root       4096 Sep 29 17:34 cpmove-phelms/
-rw-r--r--  1 rsync   root    3266560 Sep 29 17:24 cpmove-phelms.tar.gz
drwx--x--x 14 helms   helms      4096 Oct  1 10:25 helms/
drwx--x--x 10 patrick patrick    4096 Sep 25 06:09 patrick/
drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
drwx------  8 rsync   rsync      4096 Oct  1 11:45 rsync/
drwx--x--x  9 stevew  stevew     4096 Sep 29 17:32 stevew/
drwx--x--x 11 twoaces twoaces    4096 Sep 14 22:24 twoaces/

Open in new window

0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36897598
> drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
So you have a group called "users".
Add all the users to the group users
(On both machines, edit /etc/group
users:x:<gid>:phelms,rsync,stevew,twoaces,patrick,helms,appcify
)
Then as root, do
chgrp -R  users   /path-to-home-dir
chmod -R  770  /path-to-home-dir

You should be able to rsync those home directories without permission issue.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 21

Expert Comment

by:Papertrip
ID: 36897601
If you don't want to change any permissions/groups/owners of the users home directories, you can achieve this by adding --rsync-path="sudo rsync" to your rsync syntax, then use visudo on the destination machine to allow user rsync to execute that command.  The problem with that is user rsync will now technically be able to rsync over a forged sudoers file, and gain complete control of the system.

If you aren't worried about user rsync being compromised on the source server, then that will suffice.  If you want more restriction and security you can achieve it with ssh keys.

Check out http://rdiff-backup.nongnu.org/old-list-archive/2002-January/000065.html
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897614
Another decent link, worth checking out for more of the bigger picture.

http://notes.endnode.se/2009/07/restricted-backups-using-rsync/
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897620
If i add them all to users then anyone can see anyones files, the servers are public facing so i cannot comprimise security
0
 
LVL 80

Expert Comment

by:arnold
ID: 36897730
That is correct. setting group permissions with 7 will allow any member of the group full access.

use setfacl to grant special rights to the rsync user

setfacl -m user:rsync:rwx -R /home
-m modify the existing access rights by adding user rsync with read, write and execute rights.

This will grant additional rights to the user rsync on /home and subdirectories.
You should reapply this periodically as it often does not apply to newly created files.



0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897816
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897817
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897824
If you don't want to have to worry about setting permissions / acl's before each backup and making sure nothing changes in the meantime, check out my suggestion.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897862
No offense to Wesley or Arnold, because both of their answers are technically correct, but I don't believe they are the correct approach to this particular situation.

If you setfacl -R home before every scheduled backup, you have to take a few things into consideration, but they can basically be summarized into a single comment -- Any data that is new or modified from the time you issue setfacl at the start of the backup will not be included in that backup.

What if /home was 1TB for example?  A lot can happen to the contents of /home during the time it will take to get all that data to the remote server.  Of course that can be applied to any size and depends on the frequency of changes, but the chances of you getting a complete backup decrease as size of the source increases.
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36901584
@Papertrip

I understand your concern about the issue with files being updated but I am not too worried about this.. as the amount of data that needs to run is simply not enough to worry and its update freq is not to be alarmed..

the sites that are being hosted on the boxes are already in load balancing I currently just manually update the files during patches.. so if I said "30 minutes for replication to be 100%" i wouldnt worry about that at all..

but I do have one question for you or maybe arnold can help..

with the setfacl -m user:rsync:rwx -R /home command is there a way I could exclude the /home/rsync folder from this? I exclude it in the rsync and it messes up permissions for my ssh key.. and i really don't wanna have to play with a chmod right before the replication that would just get too messy for me..
0
 
LVL 80

Accepted Solution

by:
arnold earned 2000 total points
ID: 36903347
setfacl -x user:rsync -R /home/rsync
alternatively
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`
The above will be fine as long as there aren't too many directories in /home.
The below will do an update one subdirectory at a time within /home
ls /home | grep -v rsync | while read a; do
setfacl -R -m user:rsync:rwx $a
done
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36909168
Problem!

So I ran that command you gave me
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`

and for some reason it was running throughout the entire filesystem?!!?! and when I rebooted my server sshd didnt even start and mysql wont start either..

MySQL manager or server PID file could not be found!       [FAILED]
Starting MySQL.Manager of pid-file quit without updating fi[FAILED]
0
 
LVL 80

Expert Comment

by:arnold
ID: 36910275
Unless there was a typo in what you entered, there should not have been any reason why setfacl would run against the entire file system.
what is returned when you run ls -la /home | grep -v rsync?
find -H /home  -type l -ls
The above will output all symbolic links that exist in the /home directory
run
getfacl / to see whether you altered the settings on

setfacl -R -x user:rsync will remove the extra setting set before with setfacl.


ls / | while read a; do
echo "$a"
getfacl $a
echo "---------"
done

The above will display the settings in the top / directories.



0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month6 days, 22 hours left to enroll

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question