Re: Sudo + ssh and rsnapshot

Martin,

The extra junk before "rsync\ --server*)" and the execution of the
"$SSH_ORIGINAL_COMMAND" is there so that someone who got your key
can't execute whatever they want IN ADDITION to the command you allow:

  ssh -i the-key-file-in-question the-remote-rsync-hostname "do ; bad
; things ; rsync --server --sender doesnt matter"

It's not perfect, and it is shell, but it tries to do the right thing.
I just wanted to explain why it is there.

Troy

------------------
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
------------------

On 8/7/06, Martin Schröder <martin@xxxxxxxxxx> wrote:
> 2006/8/7, David Cantrell <david@xxxxxxxxxxxxxxx>:
> > That's the best solution in my opinion - there's a good write-up here
> >   http://troy.jdmz.net/rsnapshot/
> > on configuring ssh to work securely with rsnapshot and the root user.
> Indeed. My rrsync.sh is a bit shorter and further limits to read-only:
> ------------------
> case "$SSH_ORIGINAL_COMMAND" in
>   *"rsync --server --sender"*)
>     logger -t rrsync "$SSH_ORIGINAL_COMMAND"
>     sudo $SSH_ORIGINAL_COMMAND
>     ;;
>   *)
>     echo "Sorry, command rejected"
>     exit 1
>     ;;
> esac
> ------------------

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642