{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 手持菜刀,她持情操 的问题《Safe way to synchronize ressources between servers》','https://www.manongdao.com/q-1082803.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I need to synchronize ressources from a master server to a slave server. I use rsync because it can synchronize folder recursively using incremental file list. I have been able to make it work the simpliest way using ssh-keys. Everything is fine but it doesn't work through php shell_exec function. Here is what I have done so far, and where I am getting stuck. Help would be appreciated!
Master and slave servers are on ubuntu 14.04.4
Creation of the ssh-key folder within user's home directory.
mkdir ~/.ssh
chmod 0700 ~/.ssh
Creation of a private / public ssh key with no passphrase
ssh-keygen -f ~/.ssh/id_rsa -q -P ""
Unsure slave server can receive master public ssh key
// log in slave server
mkdir ~/.ssh
chmod 0700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys
Copy public key to the slave server (where I want to synchronize ressources)
// log in master server
su ssh-copy-id -i ~/.ssh/id_rsa.pub [slave user]@[slave host]
Test synchronisation of an existing folder... let's say www/js/
rsync -avz -e "ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress ~/www/js/ [slave user]@[slave host]:~/www/js/
Yay, all works fine.
I log on slave server, remove www/js folder recursively.
I log on master server
I create a simple php script to test if it work within as a "shell command"
test.php
var_dump(shell_exec('rsync -avz -e "ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress ~/www/js/ [slave user]@[slave host]:~/www/js/'));
The synchronization doesn't work from php. Probably because php runs width www-data user? How can I make it work safely from pĥp?
** edit : this answer is not a secure. Please see my other answer **
I finally found out how to make it work
copy private ssh-key to www-data's home folder. Then php will be able to rsync through shell_exec function
www-data's home folder is /var/www/ (in my case Ubuntu 14)
create .ssh folder if not present
copy ssh key and set proper rights
This line now works for me :
If it helps someone...
But since I know a lot in security but can't say I'm a specialist, I wonder if that is secure ?
As suggested by symcbean, my previous answer was is a security risk. Making www-data able to access remote hosts without password may be really dangerous. A better approach is to set up a linux user, lets say "wwwsync", that will handle rsync with remote hosts, and let www-data execute rsync "under wwwsync user". That way, we can control / secure rsync by setting up what wwwsync user can and cannot do.
Creation of a linux user that will handle synchronization (let's say wwwsync), and create the ssh-key folder within user's home directory.
Creation of a private / public ssh key with no passphrase
Unsure slave server can receive master public ssh key
Copy public key to the slave server (where I want to synchronize ressources)
Make www-data user (php) able to perform rsync under wwwsync user
This line will then work properly from php
Next important step : Make sure that wwwsync has rights and permissions properly set, according to your needs, so www-data won't synchronize unwanted ressources to your remote servers.