Fwd: Re: need help with an rsync patch
Kevin Korb
kmk at sanitarium.net
Sat Aug 17 05:15:36 MDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It can push or pull. The important part is that it runs as root on
one end and with --fake-super on the other end.
On 08/17/13 00:07, Sherin A wrote:
> On Thursday 15 August 2013 01:25 AM, Kevin Korb wrote: It works if
> you use --fake-super on the side that isn't super. That is the
> only side that needs it:
>
> asylum# id kmk uid=12313(kmk) gid=100(users)
> groups=100(users),10(wheel),16(cron),35(games) asylum# ls -l
> ~kmk/testfile -rw-r----- 1 kmk users 0 Aug 14 15:47
> /home/kmk/testfile asylum# ssh backups at psychosis id
> uid=12317(backups) gid=12317(backups) groups=12317(backups) asylum#
> rsync -vai --rsync-path="/usr/bin/rsync --fake-super" ~kmk/testfile
> backups at psychosis: sending incremental file list <f+++++++++
> testfile
>
> sent 84 bytes received 31 bytes 230.00 bytes/sec total size is 0
> speedup is 0.00 asylum# ssh backups at psychosis ls -l testfile
> -rw-r----- 1 backups backups 0 Aug 14 15:47 testfile asylum# ssh
> backups at psychosis getfattr testfile # file: testfile
> user.rsync.%stat
>
> asylum# ssh backups at psychosis getfattr -n user.rsync.%stat
> testfile # file: testfile user.rsync.%stat="100640 0,0 12313:100"
>
> asylum# rsync -vai --rsync-path="/usr/bin/rsync --fake-super"
> backups at psychosis:testfile /tmp/ receiving incremental file list
>>>> f+++++++++ testfile
> sent 30 bytes received 89 bytes 238.00 bytes/sec total size is 0
> speedup is 0.00 asylum# ls -l /tmp/testfile -rw-r----- 1 kmk users
> 0 Aug 14 15:47 /tmp/testfile
>
>
> The file gets stored in the backup as the backups user but with a
> tag saying it is really supposed to be owned by kmk. When I
> restore it it comes back owned by user kmk.
>
> On 08/14/13 15:20, Sherin A wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wednesday 14 August 2013 11:04 PM, Kevin Korb wrote: The
>>>> point of --fake-super is that when you restore the file with
>>>> --fake-super it will restore with the original ownership. Of
>>>> course that means that the restore has to be run with super
>>>> privs on the target and --fake-super on the source.
>>>>
>>>>> This doesn't work on remote stores . It doesn't restore
>>>>> the ownerships.
>>>>
>>>>
>>>>
>>>>> On Wednesday 14 August 2013 11:04 PM, Kevin Korb wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>
>>>> The point of --fake-super is that when you restore the file
>>>> with --fake-super it will restore with the original
>>>> ownership. Of course that means that the restore has to be
>>>> run with super privs on the target and --fake-super on the
>>>> source.
>>>>
>>>> On 08/14/13 13:30, Sherin A wrote:
>>>>>>> On Wednesday 14 August 2013 10:25 PM, Kevin Korb
>>>>>>> wrote:
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>>>
>>>>>>>> As has been pointed out to you your problem is not
>>>>>>>> hard links. Your problem is the indiscriminate use of
>>>>>>>> a root operation (a chown) during the restoration
>>>>>>>> process.
>>>>>>>>
>>>>>>>> You should be solving this by either: A) backing up
>>>>>>>> and restoring the original owner of the files
>>>>>>>> (directly or via --fake-super)
>>>>>>> This won't work ,
>>>>>>>
>>>>>>> root at source [~]# id dom2inho uid=507(dom2inho)
>>>>>>> gid=508(dom2inho) groups=508(dom2inho) root at source[~]#
>>>>>>> rsync -avp -e 'ssh ' --fake-super /home/dom2inho
>>>>>>> backup at 10.0.0.10:/home/backup/ In storage server ,
>>>>>>> [root at dest dom2inho]# id backup uid=505(backup)
>>>>>>> gid=506(backup) groups=506(backup) [root at dest
>>>>>>> dom2inho]# pwd /home/backup/dom2inho [root at dest
>>>>>>> dom2inho]# ll -d /home/backup/dom2inho/shadow
>>>>>>> --w------- 1 backup backup 1344 Aug 13 12:52
>>>>>>> /home/backup/dom2inho/shadow => not preserving uids
>>>>>>> or gids [root at da dom2inho]#
>>>>>>>
>>>>>>> If I am doing something wrong please let me know.
>>>>>>>
>>>>>>>
>>>>>>>> B) backing up each user's files and only their
>>>>>>>> files.
>>>>>>> I don't see an option in the rsync man to copy only
>>>>>>> each users files , can you please point me to that
>>>>>>> option
>>>>>>>
>>>>>>>
>>>>>>> Thanking you for your valuable time and help .
>>>>>>>
>>>>
> So, It need to be a pull type rsync with unprivileged user ?. It
> was not a permanent solution always. May be it is the time to
> present this POC to other forums. There will be a big issue with
> hundreds of servers and applications that use rsync and can be
> exploited using the POS.
>
- --
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Kevin Korb Phone: (407) 252-6853
Systems Administrator Internet:
FutureQuest, Inc. Kevin at FutureQuest.net (work)
Orlando, Florida kmk at sanitarium.net (personal)
Web page: http://www.sanitarium.net/
PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
iEYEARECAAYFAlIPW1gACgkQVKC1jlbQAQeIxgCeOTp3yaOQmZwPRfqq3/K2Nz92
GLYAniKlMgxpaDih8fUoaeMx/Pxgyhar
=Ou9n
-----END PGP SIGNATURE-----
More information about the rsync
mailing list