Libre Things

marcmaurice.fr Diaspora
fr

Tag - sauvegarde

Entries feed - Comments feed

Wednesday 29 December 2010

Rsync command restriction over SSH

By dooblem on Wednesday 29 December 2010, 18h36

You have 2 systems and you want to set up a secure backup with rsync + SSH of one system to the other.

Very simply, you can use:

backup.example.com# rsync -avz --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/

To do the backup, you have to be root on the remote server, because some files are only root readable.

Problem: you will allow backup.example.com to do anything on myserver.example.com, where just read only access on the directory is sufficient.

To solve it, you can use the command="" directive in the authorized_keys file to filter the command.

To find this command, start rsync adding the -e'ssh -v' option:

rsync -avz -e'ssh -v' --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/ 2>&1 | grep "Sending command"

You get a result like:

debug1: Sending command: rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/

Now, just add the command before the key in /root/.ssh/authorized_keys:

command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/" ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

And for even more security, you can add an IP filter, and other options:

from="backup.example.com",command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

Now try to open a ssh shell on the remote server.. and try some unauthorized rsync commands...

Notes:

  • Beware that if you change rsync command options, change also the authorized_keys file.
  • No need for complex chroot anymore. Forget my previous article: /post/SFTP-chroot-rsync

See also:

  • man ssh #/AUTHORIZED_KEYS FILE FORMAT
  • man rsync
  • view /usr/share/doc/rsync/scripts/rrsync.gz (restricted rsync, allows you to manage allowed options precisely)

one comment

Thursday 20 May 2010

Brasero Bug Copying Audio CD in Ubuntu Lucid

By dooblem on Thursday 20 May 2010, 23h53

Audio CD copy is actually not possible with Brasero on Ubuntu Lucid. All details in the bug report.

As a workaround, you must install cdrdao version 1.2.3, which is not yet available as a package.

To install it, you can use CheckInstall which is a bit cleaner than the old make install:

tar -xjvf cdrdao-1.2.3.tar.bz2
cd cdrdao-1.2.3/
./configure
make
sudo checkinstall make install

Note: the make command can fail because of missing dev packages you'll have to install.

CheckInstall builds and installs a nice Debian package.

You can also use cdrdao directly. ps axf shows us the command Brasero is using:

cdrdao read-cd --device /dev/sr0 --read-raw --datafile /home/dooblem/brasero.toc.bin -v 2 /home/dooblem/brasero.toc

Here we go!

Links :

3 comments

Audio CD Backup/Archive

By dooblem on Thursday 20 May 2010, 23h34

It's not possible to backup an audio CD as an iso image. This format is for data CDs.

You should use cdrdao.

Example:

cdrdao read-cd --read-raw --datafile FILE_NAME.bin --device /dev/cdrom --driver generic-mmc-raw FILE_NAME.toc

Under Ubuntu, you can use Brasero with "CD copy" mode. ps axf shows us the command Brasero is using:

cdrdao read-cd --device /dev/sr0 --read-raw --datafile /home/dooblem/brasero.toc.bin -v 2 /home/dooblem/brasero.toc

Note: there is a Brasero Bug in Ubuntu Lucid with cdrdao.

Links:

no comment