[NBLUG/talk] Duplicating a server
Lincoln Peters
sampln at sbcglobal.net
Mon Nov 21 11:27:42 PST 2005
On Monday 21 November 2005 10:44 am, Chris Palmer wrote:
> E Frank Ball writes:
> > export RSYNC_PASSWORD=
>
> rsync(1) says: "WARNING: On some systems environment variables are
> visible to all users. On those systems using --password-file is
> recommended."
I don't know if Linux is the same way, but passing the password to rsync as a
command-line argument is scary no matter how you look at it. Not only do you
have the password stored in clear-text in an environment variable (which may
or may not be visible to all users; I don't know), but you also have the
password stored in clear-text in a shell script! And, yes, the
--password-file argument has the same problem of storing the password in
clear text.
There are (or should be) ways to address all of these issues. You can (or you
should be able to) configure your system so that environment variables are
not visible to all users. You can deny read/write/execute permissions on
your shell script (and your password file, if you use one) to everyone except
the owner. You can use Cryptoloop to encrypt your hard disk, so that someone
with physical access to the computers who might use a boot disk (e.g. a
Knoppix CD) to override the permissions on those files still wouldn't be able
to read them.
The problem is that the security chain is only as strong as its weakest link.
If you forget even one tiny little detail, it puts the entire system at risk.
So you're probably better off using SSH key authentication, thus avoiding the
issue of passwords altogether and thereby eliminating several links from the
chain.
--
Lincoln Peters
<sampln at sbcglobal.net>
If a man has talent and cannot use it, he has failed.
-- Thomas Wolfe
/~\ The ASCII Ribbon Campaign
\ / No HTML/RTF in email
X No Word docs in email
/ \ Respect for open standards
More information about the talk
mailing list