Website Backup Script with Enhanced Security


#1

Hello All,

I used to have the following script to create tars and dump of the various websites I have.

#
domains=( domain1.tld domain2.tld domain3.tld )
domainUser=( domainuser001 domainuser002 domainuser003 )
dbUser=( sqluser001 [3]=sqluser003 )
dbPasswd=( sqlpasswd001 [3]=sqlpasswd003 )
dbName=( db001 [3]=db003 )
dbHost=( mysql.domain1.tld )
BACKUP_DIR=backups
BACKUP_USER=domainuser001
hostName=${dbHost[0]}
#
count=${#domains[@]}
#
for ((index=0; $index < ${count}; index++))
do
	#backup site
	rsync -qrp --exclude=".svn" /home/${domainUser[$index]}/${domains[$index]} /home/${BACKUP_USER}/${BACKUP_DIR}/
	tar -czf ${BACKUP_DIR}/`basename ${domains[$index]%%.*}`_`date +%Y_%m_%d`.tgz ${BACKUP_DIR}/${domains[$index]}
	
	if [[ ${dbName[$index]} ]]
	then
	
		if [[ ${dbHost[$index]} ]]
		then
			hostName=${dbHost[$index]}
		else
			hostName=${dbHost[0]}
		fi 
	
		mysqldump -h ${hostName} -u ${dbUser[$index]} -p"${dbPasswd[$index]}" ${dbName[$index]} | gzip > /home/${BACKUP_USER}/${BACKUP_DIR}/`basename ${domains[$index]%%.*}`_`date +%Y_%m_%d`.gz
	fi
	
	rm -rf /home/${BACKUP_USER}/${BACKUP_DIR}/${domains[$index]}/
done

But since the big Hack attack on DH I changed every account to use enhanced security and as a consequence the domain directories of each user are now inaccessible from the backup/shell user I had setup before.

change_dir “/home/domainuser002” failed: Permission denied (13)

I thought about creating a group and chgrp each existing domain directory then adding the domain users to that group. But will this cause any issues on the website side.

BTW I read the Unix Groups wiki and looked at the setperms.sh file but don’t believe that to be a viable solution since some sites have well over 10,000 files.

I know I can create a new user without enhanced security and create a unix group, create a backups directory under that user and chgrp that directory and add all the existing users to the new unix group then create individual cron jobs to backup the websites to this new user’s directory but I’d hate to do it that way.

Any suggestions?

Thanks,
Jw


#2

I’m thinking along similar lines. Some ideas in this thread may help: http://discussion.dreamhost.com/thread-134413.html


#3

I modified the shell script to use the key based solution with one user and one cron.

Here’s the new example script…

#!/bin/bash
#
domains=( domain1.tld domain2.tld domain3.tld )
domainUser=( domainuser001 domainuser002 domainuser003 )
dbUser=( sqluser001 [3]=sqluser003 )
dbPasswd=( sqlpasswd001 [3]=sqlpasswd003 )
dbName=( db001 [3]=db003 )
dbHost=( mysql.domain1.tld )
BACKUP_DIR=backups
BACKUP_USER=domainuser001
hostName=${dbHost[0]}
sshHostName=( ssh.domain1.tld [3]=ssh.domain3.tld )
sshHost=${sshHostName[0]}
keyfile=/home/${BACKUP_USER}/keyDirectory/PrivateKeyNameHere
#
count=${#domains[@]}
#
for ((index=0; $index < ${count}; index++))
do
	if [[ ${sshHostName[$index]} ]]
		then
			sshHost=${sshHostName[$index]}
		else
			sshHost=${sshHostName[0]}
	fi
	
    #backup site
	rsync -qrp --exclude=".svn" --exclude="cache" --exclude="tmp" -e "ssh -i ${keyfile}" ${domainUser[$index]}@${sshHost}:/home/${domainUser[$index]}/${domains[$index]} /home/${BACKUP_USER}/${BACKUP_DIR}/
	tar -czf ${BACKUP_DIR}/`basename ${domains[$index]%%.*}`_`date +%Y_%m_%d`.tgz ${BACKUP_DIR}/${domains[$index]}
    
    if [[ ${dbName[$index]} ]]
    then
    
        if [[ ${dbHost[$index]} ]]
        then
            hostName=${dbHost[$index]}
        else
            hostName=${dbHost[0]}
        fi
    
        mysqldump -h ${hostName} -u ${dbUser[$index]} -p"${dbPasswd[$index]}" ${dbName[$index]} | gzip > /home/${BACKUP_USER}/${BACKUP_DIR}/`basename ${domains[$index]%%.*}`_`date +%Y_%m_%d`.gz
    fi
    
    rm -rf /home/${BACKUP_USER}/${BACKUP_DIR}/${domains[$index]}/
done

The only issue I have now is that one domain has a phplist database that is separate from the main one so I’ll need to come up with a solution for that sort of issue.

I setup the ssh keys based on this article and restricted access to the dreamhost machine my backup user is on.

Enjoy,

Jw