The 'host' name is merely an alias. To define the actual IP address to
connect to you can specify $Conf{ClientNameAlias} on a per host basis in
the Host Config under Backup Settings. Thus you can have a host named
'user1laptop' but set the ClientNameAlias to the IP address that
BackupPC should connect to.
To handle the issue of them not wanting to allow BackupPC to have root
permissions, create an unprivileged account named backuppc and use that
to ssh into client machines via ssh pubkey. From there you will want to
specify in the /etc/sudoers file that the backuppc account has
permission to run the rsync command as root. e.g.
backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender ?*
If you want to get even more paranoid you can limit the sudoers file to
only run rsync as specific non-root users. e.g.
backuppc ALL=NOPASSWD: (user1) /usr/bin/rsync --server --sender ?*,
(user2) /usr/bin/rsync --server --sender ?*
Ideally, you'll want to define a Runas_List alias in the /etc/sudoers
file. From there you modify the RsyncClientCmd parameter for each host
to execute as the required user:
$sshPath -p 22 -q -x -l backuppc $host /usr/bin/sudo -u <username>
$rsyncPath $argList+
Hope this helps you out.
Ryan Manikowski
Axel Beckert wrote:
> Hi,
>
> three things which I was thinking about recently:
>
>
> First thing:
>
> We're running a BackupPC server with several TB disk space for laptops
> in our Department. As usual some users are more paranoid than
> others...
>
> The more paranoid users who just want their data backed up, not the
> whole machine, won't give root permission to the backup server's ssh
> key. So we ssh into the user whose home directory we want to back. No
> problem so far.
>
> But now I've got a few such boxes used by two or more persons (a
> professor and his phd students) and all want their home directory
> backed up, but they don't want to give out root login rights.
>
> Has anyone done something similar already? The machines in question
> currently are Macs with MacOS X (so we need to use tar), but we
> probably also need to do this for Linux machines (preferably with
> rsync).
>
> Currently I have several ideas how to accomplish that:
>
> + An ssh wrapper which would execute the tar command on the computer
> one time for each user. Problem: Just simply concatenate the tar
> files won't work, you need to make one archive out of them.
>
> + Giving multiple DNS aliases to the computers in question and then
> seeing them als multiple hosts. (Hope, BackupPC doesn't several
> hosts having the same IP address.)
>
> There are two variants of this idea:
>
> - Using /etc/hosts of the BackupPC server. Wouldn't clutter the
> normal DNS, but you need to make all changes to DNS in the hosts
> file, too.
>
> - Using CNAME records in DNS. Would be visible for others. Only one
> place to do changes.
>
> + Creating a local user account on the client which has access to all
> home directories to backup, but not more. Sounds like a big mess (or
> at least a big effort) in regards to Unix file permissions.
>
> I currently prefer the DNS alias method (don't know yet if via
> /etc/hosts or normal DNS), but would be happy to hear from others with
> similar situation what ideas (and perhaps solutions) they had.
>
>
> Second thing:
>
> One of our more paranoid users suggested an improvement which won't
> help if the backup server itself would be compromised but will help if
> the private key got outside the backup server somehow (and makes
> administration harder, if the server changes):
>
> Using options in the authorized_keys file can dyke a key-only
> compromise: The line
>
> from="server1.example.org" ssh-rsa AAAAB3...8z backuppc AT server1.example
> DOT org
>
> would restrict the key to being used only by the host
> server1.example.org. The given hostname must be the hostname in the
> PTR record for the IP address the BackupPC server connects from. CNAME
> records like e.g backuppc.example.org pointing to server1.example.org
> won't work in most cases.
>
> IMHO it wouldn't be bad if this could mentioned at
> http://backuppc.sourceforge.net/faq/security.html#ssh_key_security
>
> Second and a half thing: ;-)
>
> I also played around a little bit with the command="..." option. It
> looks like you could use it with something like
>
> command="tar `cat`" and then use it from BackupPC like this:
>
> $Conf{TarClientCmd} = 'echo cpvf - -C $shareName+ --totals | $sshPath -q -x
> -n -l root $host $tarPath';
>
> And even if it doesn't look very security-wise, I haven't managed to
> exploit command="echo `cat`" -- every meta character (backtick,
> backslash, dollar, semicolon, line break, exclamation mark) I tried
> was output literally.
>
> Haven't tested it yet though. And it probably won't work for any
> command which uses both STDIN and STDOUT like e.g. rsync.
>
>
> Third thing:
>
> Is there no IRC channel for BackupPC users? I've looked in IRCnet,
> Freenode and OFTC. ChanServ seems to know about #backuppc in Freenode,
> but nobody was in there.
>
> Kind regards, Axel Beckert
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|
