0

I'm distributing load between two web servers, which means all of the Apache settings and vhosts are pretty much identical, and I wanted to make sure they stay that way by using LSync (or if there's another solution that helps with the problem I'm having, let me know)

So obviously Apache runs as the apache user, and we cant enable root SSH logins, so I created an lsync user that can SSH between the two servers using RSA keys.

And now I'm running into some permissions errors, which is kinda what I expected to happen really. What I'm trying now is I added the lsync user to the apache group, and the apache user to the lsync group... and that seems to work ok, as long as the files are chowned 7 for both the user and the group...

I thought about setting a cron job to chown apache.apache every so often, and maybe even chmod +rwx for the group and user, but I'm sure that would cause some other issues.

I thought about having lsync run as the apache user, but it looks like the apache home directory needs to actually be owned by root.root.. so that would cause issues with the apache user trying to ssh in and read from the .ssh directory.

I couldn't find much about this when I looked on Google... Most people just used the root user for lsync, which is out of the question.

So if anyone has a fix, that would be great! thanks

P.S. I know that I can allow the lsync user to execute specific commands via sudo, if I properly configure the sudoers configuration... is there a way to have it sudo chown apache.apache /var/www && sudo chmod -R u+rwx /var/www or something?

Justin
  • 1,959
  • 5
  • 22
  • 40

2 Answers2

1

rsync has an option for forcing the permissions of the files it creates on the destination: --chmod=<blah>. lsyncd does not have direct support for this, but can pass-through rsync flags.

Try adding this to your lsyncd configuration:

_extra = {"--chmod=Dug+rwx,Fug+rw"}

That should ensure that directories, D, have read/write/execute permissions for owner and group, and files, F, have read/write permissions for owner and group. Any other permissions should be set as they are on the source server.

If you need the files to be owned by the apache user then you could set up a chown cron job, as you suggest, but you might find that a constantly running script that reads the output from inotifywatch will be more responsive (and mostly idle).

ams
  • 24,923
  • 4
  • 54
  • 75
0

You might consider having the apache user run an rsync daemon. It's little used since tunnelling rsync through ssh is more convenient and more secure, but it might help you side-step this problem.

You need to set up a configuration file, and then simply launch it with rsync --daemon using whatever init system your distro has.

You can then configure your lsynd with target = "rsync://server/path".

If the connection between the servers is local and the network is trusted then you're done, otherwise you should configure the rsync daemon to listen only on 127.0.0.1, and then use an ssh -L port mapping to route the traffic through an encrypted tunnel (the owner of the tunnel is not important).

ams
  • 24,923
  • 4
  • 54
  • 75
  • I thought about this, however the Apache home directory is owned by root, so I dont think having the rsa keys in the .ssh folder within the root directory will be readable by apache for RSA authentication.. And I would think chowning the directory from root to apache would cause some issues... what do you think? – Justin Apr 21 '16 at 16:58
  • Read what I wrote again; I'm not suggesting SSH to Apache user. – ams Apr 21 '16 at 17:06