From owner-freebsd-questions@FreeBSD.ORG Wed Jan 11 12:55:48 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF7A216A41F for ; Wed, 11 Jan 2006 12:55:48 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4695143D4C for ; Wed, 11 Jan 2006 12:55:48 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.24.8.84] (generic.ATOSORIGIN.ES [212.170.156.200]) by strange.daemonsecurity.com (Postfix) with ESMTP id 029AF2E0A5; Wed, 11 Jan 2006 13:55:46 +0100 (CET) Message-ID: <43C50087.5050008@locolomo.org> Date: Wed, 11 Jan 2006 13:56:39 +0100 From: Erik Norgaard User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: user References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: how should I (best practice) set up permissions for rsync ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 12:55:48 -0000 user wrote: > I want to rsync /usr/home from one machine to another, for purposes of > backup. > > This would be a cinch if I just rsyncd -e ssh, as user "root" from one > machine to another. The cron job runs with root perms, and the > destination machine gets logged into as root and can write into the > destination /usr/home. > > However, I sort of like the idea that root cannot ssh directly into a > freebsd machine, by default. I am inclined not to change this. > > I also would like to keep default /usr/home permissions as they are. 1st: you could reverse the connection so the backup machine fetches from the server, this means that the user that logs into the server only need read access. 2nd: maybe you want to have incremental backups so you can go back a number of days? I don't know your system, but it happens that users delete some vital file and don't get it restored right away. You can create a tar-archive preserving owner, group and permissions. In that case, your server should push the archive to the backup host otherwise you may get problems with clocks not being in sync or backup on the server not finishing before the backup is fetched. The advantage is that you can create the tar archive as root, change owner/group and send it to the backup host using ssh and login to a restricted account. I worked as an administrator, the backup policy was: * full backup on tape on weekdays, that is at night when activity is low, change tape every day * backup only changes during weekends, same tape (the friday tape) * latest two backup tapes stored on external site * tapes cycled with 2 weeks interval, every fortnight the daily backup was queued in the two week backup line with longer storage time before the tape was recycled. Now, this is a quite expensive backup policy. Just FYI. Cheers, Erik