BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BackupPC-users] Problem with converting to visudo method keys

2010-03-14 20:44:34
Subject: Re: [BackupPC-users] Problem with converting to visudo method keys
From: Luis Paulo <luis.barbas AT gmail DOT com>
To: tx836519 AT bellsouth DOT net, "General list for user discussion, questions and support" <backuppc-users AT lists.sourceforge DOT net>
Date: Mon, 15 Mar 2010 00:42:42 +0000
Hi, ken

1- You must replace <backuppc-server name> with your server IP or name in
Host_Alias      LOCAL = <backuppc-server name>
something like
Host_Alias      LOCAL = 192.168.1.101

> root  <<--- Is this correct for the visudo method?
This is correct for the ssh command ( ssh -l root 192.168.1.101 )
Visudo (file sudoers) only care about what users can do when running (or trying to run) commands su or sudo. It as nothing to do with connecting to the machine.

2- Required: You must have to be able to do ssh between backuppc users among both machines.

from server you should be able to run
$ su - backuppc
$ ssh [email protected]
With the second command you should be able to connect to the client without any request for password or passphrase

3- Last, you'll have to change your ClientCmd's to something like:

on 192.168.1.101 (tar method)
$Conf{TarClientCmd} = /usr/bin/env LC_ALL=C sudo /bin/tar -c -v -f - -C $shareName --totals
$Conf{TarClientRestoreCmd} = '/usr/bin/env LC_ALL=C sudo /bin/tar -x -v -f - -C $shareName --totals';

on 192.168.1.106 (rsync method)
 $Conf{RsyncClientCmd} = $sshPath -q -x -l backuppc $host /usr/bin/sudo $rsyncPath $argList+;
 $Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l backuppc $host /usr/bin/sudo $rsyncPath $argList+';

Again, visudo cames here to only allow backuppc user on client to run only the command /usr/bin/rsync --server --sender *, without password, as root ( that is, only that and nothing else as root without the need of the root password),
and to allow backuppc user on server the same, but for /bin/tar -c * only.

try, for instance, sudo ls.  --> Sorry, user backuppc is not allowed to execute '/bin/ls' as root on ...

To allow restore command you have to extend the visudo permissions, what may be a security risk, as stated in http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided

Regards
Luis

On Sun, Mar 14, 2010 at 10:41 PM, Kenneth L. Owen <tx836519 AT bellsouth DOT net> wrote:
Hi Luis (and others),

I've taken a little time to study the visudo approach to running
BackupPC instead of using phrase-less keys for root logon at the client
machine.  This is a much lower risk, indeed.

On Ubuntu, Vim is the default editor for visudo with Vim-tiny included
in the distribution.  When I tried to use Vim-tiny, I got some strange
results!  I closed the session without save and upgraded to Vim-full.
The full version editor worked like it should.

I edited the sudoers file on the backuppc_server as follows:
# --------------backuppc-server machine sudoers -------------
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL

# Host alias specification
Host_Alias      LOCAL = <backuppc-server name>

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment the first line and comment the second to
# to RESTORE client.  Switch them back after restore.
# backuppc LOCAL=NOPASSWD: /bin/tar -c *, /bin/tar -x *
backuppc LOCAL=NOPASSWD: /bin/tar -c *

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# ----------------- end backuppc-server sudoers --------------

I ran a backup (tar method) on the server's home directory just to check
that the server and backuppc were communicating.  It ran fine.

Next, I edited the sudoers file on the client machine as follows:
-------------- client machine sudoers ------------------------
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment the first line and comment the second to
# to RESTORE client.  Switch them back after restore.
# backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender *
backuppc ALL=NOPASSWD: /usr/bin/rsync --server *

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
----------- end client sudoers ------------------------------

Then, I created my ssh keys for the rsync transfer between the
backuppc-server and the client machines.  If I understand things
correctly, I create two sets of keys similar to the root logon method
except that, for this method, the BackupPC key is phrase-less like
before, but the root key from the client machine can have a strong
password.  The key generation seemed to go well with no errors.

When I ran the command
ssh -l root 192.168.1.101 whoami
the response was:
root  <<--- Is this correct for the visudo method?

When I tried to run a full backup on the client I got the "failed to
read 4 bytes" error message indicating that the keys are bad or missing
or that I didn't do something else right.

Anyone see where I botched the switch over?  -- ken




------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BackupPC-users] Concrete proposal for feature extension for pooling, Les Mikesell
Next by Date:  [BackupPC-users] Concrete proposal for feature extension for pooling, Saturn2888
Previous by Thread:  [BackupPC-users] Problem with converting to visudo method keys, Kenneth L. Owen
Next by Thread:  Re: [BackupPC-users] Problem with converting to visudo method keys, Kenneth L. Owen
Indexes:  [Date] [Thread] [Top] [All Lists]