There is one other option. Use ssh public key authentication to bypass the whole PAM/role nonsense and restrict what the user can do with the command option. See sshd(8) in its AUTHORIZED_KEYS FILE FORMAT section
On Sun, May 6, 2012 at 10:37 PM, Dave Pooser <dave...@pooserville.com> wrote: > On 5/6/12 8:04 AM, "Jeppe Toustrup" <openindi...@tenzer.dk> wrote: > >>2. SSH in as dedicated unprivileged user, which then have permissions >>to run rsync with root permissions though sudo. > > This is how I do it, which also has the advantage of letting me give sudo > permissions to run specific scripts that (for example) quiesce a database, > snapshot the filesystem, reactivate the database, mount the snapshot, and > then perform further operations on the snapshot while the database is > humming along. Makes backup windows much more manageable.... > -- > Dave Pooser > Cat-Herder-in-Chief, Pooserville.com > "...Life is not a journey to the grave with the intention of arriving > safely in one pretty and well-preserved piece, but to slide across the > finish line broadside, thoroughly used up, worn out, leaking oil, and > shouting GERONIMO!!!" -- Bill McKenna > > > > > > _______________________________________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
