Solved

Permission issue Centos

Posted on 2011-10-01
15
350 Views
Last Modified: 2012-08-13
Hello,

I'm making a rsync script that will sync two servers.. I made an account rsync and setup the ssh key so I dont need to login everytime with that account. It works except for one problem I am having, the account doesnt have access to the home directory...

What what I have to do to give this user access to the home directory and everything in it.. without changing the ownership of the folder itself?
0
Comment
Question by:Phelms215
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897467
To which home directory?  A user other than rsync?

Provide 'ls -l' output of the destination please.
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897515
to every directory in the home directory.. so it can sync it to another server.


drwxrwxr-x 15 rsync   root       4096 Oct  1 13:38 ./
drwxr-xr-x 24 root    root       4096 Oct  1 13:11 ../
drwx--x--x 10 appcify appcify    4096 Sep 29 17:10 appcify/
drwx------  3 rsync   users      4096 Sep 27 10:05 beach/
drwxr-xr-x  5 rsync   root       4096 Sep 28 07:14 .cpan/
drwxr-xr-x  3 rsync   root       4096 Oct  1 04:37 .cpanm/
drwx------  4 rsync   root       4096 Oct  1 04:37 .cpcpan/
drwx------  3 rsync   root       4096 Sep 28 07:24 cpeasyapache/
drwx------ 32 rsync   root       4096 Sep 29 17:34 cpmove-phelms/
-rw-r--r--  1 rsync   root    3266560 Sep 29 17:24 cpmove-phelms.tar.gz
drwx--x--x 14 helms   helms      4096 Oct  1 10:25 helms/
drwx--x--x 10 patrick patrick    4096 Sep 25 06:09 patrick/
drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
drwx------  8 rsync   rsync      4096 Oct  1 11:45 rsync/
drwx--x--x  9 stevew  stevew     4096 Sep 29 17:32 stevew/
drwx--x--x 11 twoaces twoaces    4096 Sep 14 22:24 twoaces/

Open in new window

0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36897598
> drwxrwxr-x  9 phelms  users      4096 Oct  1 11:34 phelms/
So you have a group called "users".
Add all the users to the group users
(On both machines, edit /etc/group
users:x:<gid>:phelms,rsync,stevew,twoaces,patrick,helms,appcify
)
Then as root, do
chgrp -R  users   /path-to-home-dir
chmod -R  770  /path-to-home-dir

You should be able to rsync those home directories without permission issue.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 21

Expert Comment

by:Papertrip
ID: 36897601
If you don't want to change any permissions/groups/owners of the users home directories, you can achieve this by adding --rsync-path="sudo rsync" to your rsync syntax, then use visudo on the destination machine to allow user rsync to execute that command.  The problem with that is user rsync will now technically be able to rsync over a forged sudoers file, and gain complete control of the system.

If you aren't worried about user rsync being compromised on the source server, then that will suffice.  If you want more restriction and security you can achieve it with ssh keys.

Check out http://rdiff-backup.nongnu.org/old-list-archive/2002-January/000065.html
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897614
Another decent link, worth checking out for more of the bigger picture.

http://notes.endnode.se/2009/07/restricted-backups-using-rsync/
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897620
If i add them all to users then anyone can see anyones files, the servers are public facing so i cannot comprimise security
0
 
LVL 77

Expert Comment

by:arnold
ID: 36897730
That is correct. setting group permissions with 7 will allow any member of the group full access.

use setfacl to grant special rights to the rsync user

setfacl -m user:rsync:rwx -R /home
-m modify the existing access rights by adding user rsync with read, write and execute rights.

This will grant additional rights to the user rsync on /home and subdirectories.
You should reapply this periodically as it often does not apply to newly created files.



0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897816
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36897817
Thanks, ill try that out.. Should i set it as a cron before the rsync runs? Or is that overkill
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897824
If you don't want to have to worry about setting permissions / acl's before each backup and making sure nothing changes in the meantime, check out my suggestion.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36897862
No offense to Wesley or Arnold, because both of their answers are technically correct, but I don't believe they are the correct approach to this particular situation.

If you setfacl -R home before every scheduled backup, you have to take a few things into consideration, but they can basically be summarized into a single comment -- Any data that is new or modified from the time you issue setfacl at the start of the backup will not be included in that backup.

What if /home was 1TB for example?  A lot can happen to the contents of /home during the time it will take to get all that data to the remote server.  Of course that can be applied to any size and depends on the frequency of changes, but the chances of you getting a complete backup decrease as size of the source increases.
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36901584
@Papertrip

I understand your concern about the issue with files being updated but I am not too worried about this.. as the amount of data that needs to run is simply not enough to worry and its update freq is not to be alarmed..

the sites that are being hosted on the boxes are already in load balancing I currently just manually update the files during patches.. so if I said "30 minutes for replication to be 100%" i wouldnt worry about that at all..

but I do have one question for you or maybe arnold can help..

with the setfacl -m user:rsync:rwx -R /home command is there a way I could exclude the /home/rsync folder from this? I exclude it in the rsync and it messes up permissions for my ssh key.. and i really don't wanna have to play with a chmod right before the replication that would just get too messy for me..
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 36903347
setfacl -x user:rsync -R /home/rsync
alternatively
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`
The above will be fine as long as there aren't too many directories in /home.
The below will do an update one subdirectory at a time within /home
ls /home | grep -v rsync | while read a; do
setfacl -R -m user:rsync:rwx $a
done
0
 
LVL 1

Author Comment

by:Phelms215
ID: 36909168
Problem!

So I ran that command you gave me
setfacl -R -m user:rsync:rwx `ls /home | grep -v rsync`

and for some reason it was running throughout the entire filesystem?!!?! and when I rebooted my server sshd didnt even start and mysql wont start either..

MySQL manager or server PID file could not be found!       [FAILED]
Starting MySQL.Manager of pid-file quit without updating fi[FAILED]
0
 
LVL 77

Expert Comment

by:arnold
ID: 36910275
Unless there was a typo in what you entered, there should not have been any reason why setfacl would run against the entire file system.
what is returned when you run ls -la /home | grep -v rsync?
find -H /home  -type l -ls
The above will output all symbolic links that exist in the /home directory
run
getfacl / to see whether you altered the settings on

setfacl -R -x user:rsync will remove the extra setting set before with setfacl.


ls / | while read a; do
echo "$a"
getfacl $a
echo "---------"
done

The above will display the settings in the top / directories.



0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question