Solved

Permission issue Centos

Posted on 2011-10-01
15
346 Views
Last Modified: 2012-08-13
Hello,

I'm making a rsync script that will sync two servers.. I made an account rsync and setup the ssh key so I dont need to login everytime with that account. It works except for one problem I am having, the account doesnt have access to the home directory...

What what I have to do to give this user access to the home directory and everything in it.. without changing the ownership of the folder itself?
0
Comment
Question by:Phelms215
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897467
To which home directory?  A user other than rsync?

Provide 'ls -l' output of the destination please.
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897515
to every directory in the home directory.. so it can sync it to another server.


drwxrwxr-x 15 rsync   root       4096 Oct  1 13:38 ./
drwxr-xr-x 24 root    root       4096 Oct  1 13:11 ../
drwx--x--x 10 appcify appcify    4096 Sep 29 17:10 appcify/
drwx------  3 rsync   users      4096 Sep 27 10:05 beach/
drwxr-xr-x  5 rsync   root       4096 Sep 28 07:14 .cpan/
drwxr-xr-x  3 rsync   root       4096 Oct  1 04:37 .cpanm/
drwx------  4 rsync   root       4096 Oct  1 04:37 .cpcpan/
drwx------  3 rsync   root       4096 Sep 28 07:24 cpeasyapache/
drwx------ 32 rsync   root       4096 Sep 29 17:34 cpmove-phelms/
-rw-r--r--  1 rsync   root    3266560 Sep 29 17:24 cpmove-phelms.tar.gz
drwx--x--x 14 helms   helms      4096 Oct  1 10:25 helms/
drwx--x--x 10 patrick patrick    4096 Sep 25 06:09 patrick/
drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
drwx------  8 rsync   rsync      4096 Oct  1 11:45 rsync/
drwx--x--x  9 stevew  stevew     4096 Sep 29 17:32 stevew/
drwx--x--x 11 twoaces twoaces    4096 Sep 14 22:24 twoaces/

Open in new window

0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36897598
> drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
So you have a group called "users".
Add all the users to the group users
(On both machines, edit /etc/group
users:x:<gid>:phelms,rsync,stevew,twoaces,patrick,helms,appcify
)
Then as root, do
chgrp -R  users   /path-to-home-dir
chmod -R  770  /path-to-home-dir

You should be able to rsync those home directories without permission issue.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897601
If you don't want to change any permissions/groups/owners of the users home directories, you can achieve this by adding --rsync-path="sudo rsync" to your rsync syntax, then use visudo on the destination machine to allow user rsync to execute that command.  The problem with that is user rsync will now technically be able to rsync over a forged sudoers file, and gain complete control of the system.

If you aren't worried about user rsync being compromised on the source server, then that will suffice.  If you want more restriction and security you can achieve it with ssh keys.

Check out http://rdiff-backup.nongnu.org/old-list-archive/2002-January/000065.html
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897614
Another decent link, worth checking out for more of the bigger picture.

http://notes.endnode.se/2009/07/restricted-backups-using-rsync/
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897620
If i add them all to users then anyone can see anyones files, the servers are public facing so i cannot comprimise security
0
 
LVL 76

Expert Comment

by:arnold
ID: 36897730
That is correct. setting group permissions with 7 will allow any member of the group full access.

use setfacl to grant special rights to the rsync user

setfacl -m user:rsync:rwx -R /home
-m modify the existing access rights by adding user rsync with read, write and execute rights.

This will grant additional rights to the user rsync on /home and subdirectories.
You should reapply this periodically as it often does not apply to newly created files.



0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Phelms215
ID: 36897816
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897817
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897824
If you don't want to have to worry about setting permissions / acl's before each backup and making sure nothing changes in the meantime, check out my suggestion.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897862
No offense to Wesley or Arnold, because both of their answers are technically correct, but I don't believe they are the correct approach to this particular situation.

If you setfacl -R home before every scheduled backup, you have to take a few things into consideration, but they can basically be summarized into a single comment -- Any data that is new or modified from the time you issue setfacl at the start of the backup will not be included in that backup.

What if /home was 1TB for example?  A lot can happen to the contents of /home during the time it will take to get all that data to the remote server.  Of course that can be applied to any size and depends on the frequency of changes, but the chances of you getting a complete backup decrease as size of the source increases.
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36901584
@Papertrip

I understand your concern about the issue with files being updated but I am not too worried about this.. as the amount of data that needs to run is simply not enough to worry and its update freq is not to be alarmed..

the sites that are being hosted on the boxes are already in load balancing I currently just manually update the files during patches.. so if I said "30 minutes for replication to be 100%" i wouldnt worry about that at all..

but I do have one question for you or maybe arnold can help..

with the setfacl -m user:rsync:rwx -R /home command is there a way I could exclude the /home/rsync folder from this? I exclude it in the rsync and it messes up permissions for my ssh key.. and i really don't wanna have to play with a chmod right before the replication that would just get too messy for me..
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 36903347
setfacl -x user:rsync -R /home/rsync
alternatively
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`
The above will be fine as long as there aren't too many directories in /home.
The below will do an update one subdirectory at a time within /home
ls /home | grep -v rsync | while read a; do
setfacl -R -m user:rsync:rwx $a
done
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36909168
Problem!

So I ran that command you gave me
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`

and for some reason it was running throughout the entire filesystem?!!?! and when I rebooted my server sshd didnt even start and mysql wont start either..

MySQL manager or server PID file could not be found!       [FAILED]
Starting MySQL.Manager of pid-file quit without updating fi[FAILED]
0
 
LVL 76

Expert Comment

by:arnold
ID: 36910275
Unless there was a typo in what you entered, there should not have been any reason why setfacl would run against the entire file system.
what is returned when you run ls -la /home | grep -v rsync?
find -H /home  -type l -ls
The above will output all symbolic links that exist in the /home directory
run
getfacl / to see whether you altered the settings on

setfacl -R -x user:rsync will remove the extra setting set before with setfacl.


ls / | while read a; do
echo "$a"
getfacl $a
echo "---------"
done

The above will display the settings in the top / directories.



0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now