![]() ![]() ![]() Running as root but with restrictive SELinux rules should do the trick, but don't ask me what the rules would have to be.Step 3: Verify User Belongs to Sudo Group. Most Linux systems, including Ubuntu, have a user group for sudo users. I'm not sure offhand if there's a way to make this work for backups. Log into the system with a root user or an account with sudo privileges. The bindfs solution from would let you read file contents but would mangle some metadata.Its very much worth it to learn to run with as few permissions as possible. If you run MySQL as your user or a special limited mysql user, only your user files or mysqls own files can be compromised. Other Unix variants would need other solutions.) If you run MySQL as root and it is compromised your whole system is compromised. ![]() Pass -rsync-path=/usr/local/sbin/rsync-for-backup on the other side. Remember to keep the copy updated whenever rsync is updated. Setcap cap_dac_read_search+ep /usr/local/sbin/rsync-for-backup With the recommended configuration, rsyncuser may now run rsync as root without even being asked for a password. Setfacl -m user:backupuser:rx /usr/local/sbin/rsync-for-backup I'm not very familiar with capabilities on Linux but I think this is how to set it up: cp /usr/bin/rsync /usr/local/sbin/rsync-for-backupĬhown root.root /usr/local/sbin/rsync-for-backupĬhmod 700 /usr/local/sbin/rsync-for-backup The user should have a full view of the filesystem (of course) and access to a copy of /usr/bin/rsync which has this capability. Run the read side of rsync as a dedicated non-root user but with the capability CAP_DAC_READ_SEARCH. ![]()
0 Comments
Leave a Reply. |