Secure Remote Backups (using SSH) - Using a backup user account

Michael Haertjens mhaertjens at cfl.rr.com
Mon Mar 21 22:23:28 GMT 2005


Hello David,

Though the information here is on a BSD web site, it should apply equally to 
any OS.
  
http://www.bsdnews.org/01/rsync_backups.php

And if you do end up needing a root login for some reason, look into the 
"forced-commands-only" alternative for PermitRootLogin 
in /etc/ssh/sshd_config (assuming you would have it set to No otherwise).  If 
you go that route, you will want to run a script like the following to make 
sure that the only commands the root login will accept are to run rsync:

#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
   *\&*)
      echo "Rejected"
      ;;
   *\;*)
      echo "Rejected"
      ;;
   rsync\ --server*)
      $SSH_ORIGINAL_COMMAND
      ;;
   *)
      echo "Rejected"
      ;;
esac

The O'Reilly book on SSH discusses this in some detail.

Good luck

Mike Haertjens

On Monday 21 March 2005 04:13 pm, David Nicholls wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi There.
>
> I am very sorry for the complete noob question :)
>
> I was looking at the basic remote rsync backup artical at:
>
> http://servers.linux.com/article.pl?sid=04/11/04/0346256&tid=119&tid=47&pag
>enum=1
>
> I am backing up various servers, both locally and remotely. I am only
> interested in backing up /home and /var/log I can do almost everything
> as a user backup, with the other users being members of group backup
> with read permissions on all the relevant files needed to backup.
> However, I also need to backup an email server which uses MailDir. The
> default permissions of which are dwrx------, so cannot be placed into
> the backup group.
>
> I don't want to 'auto' ssh using the root account, for obvious reasons,
> I also do not think it a good idea to change the default permissions on
> the MailDir directories!
>
> I just wondered if some kind soul would give me a pointer! Obviously I
> need to make the solution as secure as possible and I'm sure there is
> some stupidly obvious solution, but for once google isn't helping! :)
>
> As a possible answer to my own question, if I do not run rsync as a
> daemon, when I invoke the rsync command, does it read settings from
> rsyncd.conf? If so I can ssh using the backup user and run rsync as root?
>
> Thanks
>
> Dave
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
>
> iD8DBQFCPzkC62r58u1gKlkRAiV9AKCPKYobw+4DARy4qHp95sdQscG/gQCeJBPn
> 1Re2gOEeQvoL1mLTnV6eBhM=
> =9Hvq
> -----END PGP SIGNATURE-----


More information about the rsync mailing list