Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a home network with multiple windows computers protected using the firewall on the router. i have a mostly working backup system using rsync from internal client machines ( some are Windows) to a backup machine.
What I propose here is bad security, (although the firewall is totally blocked) but I want functionality not security.
I am using cwrsync, a free rsync utility employing a bare bones cygwin installation containing only the necessary components to run an rsync backup. On one of the Windows clients, the scheduler runs rsync periodically and the backups are made in each users directory.
I set up RSA keys on the Windows machines and the machine to which the backups would be done and arranged for each backups to be placed in a user home directory allocated for each machine so that passwords are not required. Rsync runs and transfers files automatically. Great so far!
It then seemed like a good idea to be able to recover any particular file back to a client machine using a web interface.
By adding a web server to the backup machine and arranging rsync to store the backups in each user's directory in the web directory /home/user/public_html a browser on any client machine can see and access backup files - click on a file and download a backup copy of the file.
This works except for one problem. I need each user directory to be group owned by www-data.
The public_html directory has to be accessible by the web server. If you change the group or ownership to www-data then a browser can see and download files but rsync then demands a password. If you change the ownership and group to the user then rsync works but the web server can't see the files.
I have tried adding Allowgroups www-data to /etc/ssh/ssh_config
and that doesn't work. I tried creating a directory owned by www-data - nope.
I need to somehow override the ssh insistence that the ownership of the backup directory must be that of the user or get it to accept a group ownership from www-data. Is there a way to do this.
Alternatively is there a way to get rsync to backup files without a password and thereby not use ssh?
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
No, if you use /home/<user>/public_html files are accessible by the web browser if the owner of the file is <user>:<user>. (<user> is the actual name of the user)
You should have enable the option to serve /home/<user>/public_html in Apache.
The backup process should write the backup with the credentials of <user>. Permissions must be 644 or more relaxed.
If you are still not able to serve from public_html, check the Apache docs. My (Debian) system does it so I know it is possible.
If your backup process cannot copy as <user>, you should change the ownership after the backup. That can be done using ssh by simply issuing the chown command in the ssh call. However, you should chown as root and that requires root access over ssh. That is something which is discouraged. I have not found a better solution yet.
You were right about Apache not needing www-data group memberships and only needing the user ownership and membership.
The key to getting it to work was that the permissions of the directory have to include executable.
To me that is odd since I only need to read the directory not execute anything in it. Oh well - good old unix.
thanks for you suggestion about where to be directing effort.
You were right about Apache not needing www-data group memberships and only needing the user ownership and membership.
The key to getting it to work was that the permissions of the directory have to include executable.
To me that is odd since I only need to read the directory not execute anything in it. Oh well - good old unix.
thanks for you suggestion about where to be directing effort.
Yes, the x bit must be set on a directory to be able to look into it (more specifically to traverse it). It is actually not called the execute bit on directories (directories cannot be executed!) but usually the search bit, less frequently the traversal or recurse bit - but still represented by x, so many people wrongly call it the execute bit.
Last edited by astrogeek; 12-26-2014 at 02:22 AM.
Reason: oops... that's better...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.