Web Interface to rysnc

Joseph Annino jannino at jannino.com
Fri Feb 15 05:56:04 EST 2002 

I kind of doubt I could easy get the original code at this point, but it
really wasn't anything too complex.

One way around the password issue is to use the ssh-agent and identities
with a passphrase.  Ssh-agent lets you pipe a password into it.  Once the
user enters the password once it is good for their entire session.  The
O'Reilly book on SSH is excellent at explaining all this stuff.

Not having passwords is important with my File::Rsync::Safe module because
it connects with rsync multiple times to be sure that everything is done
correctly.  Having to enter a password 4 or 5 times to do a transfer would
be quite annoying.  So I am also looking at ways to solve the password
problem.

The way I got around the ssh password issue, which I am sure is not the best
way, was to take the following steps:
- Users are not given accounts on the live server.  The live server is
controlled only by administrators and special accounts.
- Create a special account called 'webmove' on the staging and live servers.
All web content is owned by this user.
- Setup this account with an ssh key with no password.  Webmove on each
server needs to be able to log into the other server.  You can optionally
give it a restricted shell.
- When a user runs the copy script it will:
    - Check that the files exist and the user has rights to copy the files.
    - Connect to the live server as the webmove user, and send a command to
a copy script running on the live server.
    - The copy script running on the live server doublechecks that the user
can do the copy.
    - The copy script on the live server runs rsync and does the actual
update

This makes for a reasonably secure way of doing things, because the script
on the live server limits what can be done to legitimate commands, instead
of just writing anything anywhere with rsync.  I'm sure its possible for
people to fake their way around this, but so long as your staging machine is
secure and you trust your users I found it acceptable.  There are also ways
to make ssh identities that run certain commands, etc.  Again I recommend
the O'Reilly book.



-- 
Joseph Annino Consulting - Perl, PHP, MySQL, Oracle, etc.
jannino at jannino.com - http://www.jannino.com


On 2/14/02 9:06 AM, "Frank Perugini" <frankp at web-worx.com> wrote:

> Joseph,
> 
> Thanks for the reply. I would be interested in your File::Rsync::Safe
> module. When you are ready I would be happy to beta test for you. Sounds
> like I would run into the same problems you did when you had it setup. Do
> you have any of that original work?
> 
> My problem right now is the transport layer for rsync. I already have ssh
> configured on both dev and production servers. We use it for remote shells
> for maintenance. ssh is currently set up to use passwords. When I run rsync
> sessions and specify ssh as the transport, I get prompted interactively for
> a password. I know I can use SSH keys with no passphrase, but I like the
> extra security of passwords. I have been trying to wrap the rsync command
> using the Expect module, but having a few problems right now. I don't know
> if this will work out.
> 
> 
> -Frank
> 
> -----Original Message-----
> From: Joseph Annino [mailto:jannino at jannino.com]
> Sent: Wednesday, February 13, 2002 8:55 PM
> To: Frank Perugini; rsync at lists.samba.org
> Subject: Re: Web Interface to rysnc
> 
> 
> It was an internal use only tool I no longer have access to, but I did setup
> a command line version of something like this, and a simple web interface
> was later put on top of it.
> 
> Because the directory structure of the development server mirrored that of
> the live server, just a list of names of files in the development server
> would be passed to the script.  It would connect to the live server and do
> the copy.  It checked all paths through a config file that specified what
> paths different users could update.  The script just checked which unix
> account invoked it to determine the user.
> 
> All copies are done atomicly, meaning files are copied to directory_new,
> directory is renamed as directory_old, directory_new is renamed as
> directory, and then direcotry_old is deleted.  This results in only split
> second downtime, as well as not ending up in some weird state if the
> transfer gives up in the middle.
> 
> One big issue that wasn't foreseen in the first version, deleting files.
> 
> I am working on a module File::Rsync::Safe, for doing the kind of atomic
> copies I mentioned above, among other things.  I haven't announced it yet
> because I'm still working on getting the people paying for my work to
> understand what the GPL is, but they will come around shortly.
> 
> 
> --
> Joseph Annino Consulting - Perl, PHP, MySQL, Oracle, etc.
> jannino at jannino.com - http://www.jannino.com
> 
> 
> On 2/13/02 7:30 PM, "Frank Perugini" <frankp at web-worx.com> wrote:
> 
>> Greetings All,
>> 
>> I am planning on authoring a web-based (CGI) interface to rsync. The idea
> is
>> to build a fool-proof interface for my web designers to push content
> changes
>> from our development server to our live production server. I am talking
>> about an interface which allows point-n-click navigation of file system
>> folders and the ability to push files. These users are both MAC and
> Windows
>> based. We are a web design and hosting company.
>> 
>> I have been monitoring this group and other newsgroups and experimenting
>> with rsync. I know there is a perl module that wraps rsync, and I will
>> probably use it.
>> 
>> Does anyone know if anyone else has already undertook a project of this
> type
>> already? I don't want to re-invent the wheel. I have not seen much mention
>> of any web-based interfaces or wrappers (other than the perl module).
>> There's usually people creating web-based interfaces to just about
>> everything, but I have not seen this yet. I think it can be a very useful
>> system.
>> 
>> Regards,
>> 
>> -Frank
>> 
>> 
>

More information about the rsync mailing list