Re: [SLE] (with better English) Re: [SLE] backup operation: back up the files belong to www-run



在 2006-10-29日的 16:50 +0800,张韡武写道:
在 2006-10-28六的 17:33 +0200,Leendert Meyer写道:
Yes, but IMHO this seems only a partial solution, as it does not take
care of the read-permission problem. ;-) 600 means only wwwrun or
root have read-access.

But combined with root login via ssh-key would be not quite bad at
all.

The webserver administrator is unfortunately no longer working here, so
I got no ways to ask but in his original security policy, it is only
possible to login via ssh-key (password login is disabled).

Next time I'll do it better: here is the better English version:
The webserver administrator is unfortunately no longer working here, so
I got no ways to ask him. In his original security policy, both password
login and root login are disabled.

Does it make sense to turn of root ssh login and to turn off password
login at the same time? This is the current situation but I want to am I
lowering down security level by enabling root login but keep password
login disabled?

Does it make sense to have both password login and root login disabled?
I wonder if I enable root login (but keep password login disabled) am I
lowering down security level significantly?

If the backup script login as root and use ssh-key, this backup machine,
once cracked down, give cracker full access to the web server. However I
can do it this way that backup script ask for passphrase before
connecting to remote web server. This require someone to go to that
machine to type passphrase everyday when backup begins. How do you
think? Is this the best approach?

Attachment: signature.asc
Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?=



Relevant Pages