Using rsync to backup remote server as root
Andrew Gideon
c182driver1 at gideon.org
Sun Aug 30 18:24:20 MDT 2009
On Thu, 27 Aug 2009 16:30:55 +1200, Nathan Ward wrote:
> --rsync-path="sudo rsync"
Another way to achieve something similar would be to have PermitRoot set
to without-password, and then set up a key pair for remote login. In
authorized_keys2, the remote access for this key pair can be limited to
the rsync command.
When considering these, be sure to look at your security goals and how
they're impacted. In the sudo case, you're giving a user account the
ability to run rsync as root. That is, effectively, read-write access to
everything.
In the without-password case, you're giving similar access to anyone that
has access to the private key (though you can limit this to a given IP
address in authorized_keys2).
It goes further than this (ie. the sudo case is also giving that read-
write access to the remote user running the backup command). I'd want to
give this some careful thought before choosing.
There's also the possibility of combining the two ideas. The remote user
logs into a local non-root user. This is done using a key pair, and the
local user has no password (so no password attacks on the local user
account). The key pair, via authorized_keys2, has access only to the
"sudo rsync" command.
- Andrew
More information about the rsync
mailing list