From owner-freebsd-isp Tue Nov 4 12:01:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA03245 for isp-outgoing; Tue, 4 Nov 1997 12:01:16 -0800 (PST) (envelope-from owner-freebsd-isp) Received: from hal-pc.org (hal-pc.org [204.52.135.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA03213 for ; Tue, 4 Nov 1997 12:00:57 -0800 (PST) (envelope-from reg@hal-pc.org) Received: (from reg@localhost) by hal-pc.org (8.8.5/8.6.9) id OAA14613; Tue, 4 Nov 1997 14:00:48 -0600 (CST) Message-Id: <199711042000.OAA14613@hal-pc.org> To: freebsd-isp@FreeBSD.ORG Priority: Normal X-Mailer: Post Road Mailer for OS/2 (Green Edition Ver 3.0) Date: Tue, 4 Nov 1997 14:00:39 CST From: "Robert E. Gunn" Reply-To: "Robert E. Gunn" Subject: Re: Fw: rdist Alternatives Sender: owner-freebsd-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Addressed to: Distribution list (see below) ** Reply to note from "John Brown" Tue, 4 Nov 1997 12:53:43 -0500 > > I have been working for a couple of weeks now to get rdist to work and have > been very unsuccessful. > > So now on to the next option. I need to duplicate my password db to my > secondary radius server. Are there other utilities that I can use to make > this happen? > > rdist info -- In case someone is interested. I started with a 2.1.x box and > was able to get it to transfer files from this machine to a 2.2.2 box but > could never get it going the other way. So being the smart individual that I > am I upgrade the 2.1.x box to 2.2.5 now -- well you guessed it...Now it > doesn't work either way. When running with the debug flag it appears to bomb > at the first rsh that is executed with a 'permission denied' at this point I > have checked everything that I can think of and am at a loss. rlogin will > work both way's but rsh and rcp AND rdist will not. (all die with the same > message 'Permission Denied'). Nothing in the messages log, NOTHING > AAAAAARRRRRRRGGGGGHHHH!!! > > God I Love Unix!!! ;) OK, here's how I did it. 1) If you are running any kind of reasonable security, the remote system will not allow you to remotely execute as root. There are VERY good reasons for this. 2) You have to be root to read the master.password file. A small gotcha. 3) I've created a pseudo usr 'etc' to do the actual rcp. It has group read only access to everything in the /etc directory. I can't find a security flaw in this--but there are no guarantees. 4) This process runs out of cron every 10 minutes. # rcopy the /etc directory to news:/etc # 960213 00:13 reg Added rcopy at 10 minute interval */10 * * * * root /etc/rcopy 5) The rcopy script is owned by root: -rwxr----- 1 root wheel 1152 Feb 13 1996 rcopy* ------BEGIN rcopy 740----------------------------------------------------- #!/bin/ksh # rcopy, version 960212 reg@hal-pc.org #======================================================================== # A program to copy the /etc directory to news:/etc/etc.hal-pc.org # Running as root, it finds the files that do not have group read # access, chmods those files to read access, su to etc (tricky) # rcp the /etc directory to news:/etc/etc.hal-pc.org, reverts back # to root and chmods the files back the way they were. #======================================================================== # Last Revised UID Modification # 960212 01:16 reg Original rcopy #======================================================================== # DEBUG=true if [ ${DEBUG:-false} = true ];then echo "$*\n$PATH\n$PWD";sleep 2;set -xv;fi #trap 'echo $0: INTERRUPT;exit' INT #trap 'echo $0: ERROR;continue' ERR #trap 'echo $0: ERROR' ERR tmpfile=/tmp/perms.$$ cd /etc find /etc ! -perm -0040 > $tmpfile for file in $(cat $tmpfile) do chmod g+r $file done su etc # suid to etc and execute rcopy.etc for file in $(cat $tmpfile) do chmod g-r $file done rm $tmpfile ------------END-rcopy------------------------------------------------------- 6) The second script rcopy.etc is owned by 'etc'. It ONLY copies files that are newer than the date stamp on itself (the last time it ran). -rwxr----- 1 etc wheel 652 Nov 4 13:40 rcopy.etc* ------BEGIN rcopy.etc 740--------------------------------------------------- #!/bin/ksh # rcopy.etc version 960212 reg@hal-pc.org #======================================================================== # A program to copy the /etc directory to news:/etc/hal-pc.org/ #======================================================================== # Last Revised UID Modification # 960212 22:57 reg Changed rcp -rp to find /etc -newer # 960212 01:27 reg Original rcopy.etc #======================================================================== #rcp -pr /etc etc@news:/etc/hal-pc.org find /etc -type f -newer /etc/rcopy.etc\ -exec rcp -p {} etc@news:/etc/hal-pc.org/{} ';' touch /etc/rcopy.etc -------END rcopy.etc--------------------------------------------------------- 7) This has been running without serious problems for over a year. It keeps all the copied files in a secure area (/etc/hal-pc.org/etc) on the target disk. I've never felt like going back and cleaning it up--it works. I think you've already discovered the nitty-gritty like setting up trusted hosts, .... -- Robert Gunn <>|Post Office Box 27474 |Voice:+1 713 960 1588 reg@hal-pc.org |Houston, Texas 77227-7474|Fax: +1 713 960 9497 HAL-PC: The world's largest computer club and a lot more! Hiroshima 45, Chernobyl 86, Windows 95 Distribution list: "John Brown" freebsd-isp@FreeBSD.ORG