Using rsync to backup remote server as root

henri henri at
Thu Sep 3 15:53:27 MDT 2009

> > --rsync-path="sudo rsync"
> Another way to achieve something similar would be to have PermitRoot  
> set
> to without-password, and then set up a key pair for remote login.  In
> authorized_keys2, the remote access for this key pair can be limited  
> to
> the rsync command.
> When considering these, be sure to look at your security goals and how
> they're impacted.  In the sudo case, you're giving a user account the
> ability to run rsync as root.  That is, effectively, read-write  
> access to
> everything.
> In the without-password case, you're giving similar access to anyone  
> that
> has access to the private key (though you can limit this to a given IP
> address in authorized_keys2).
> It goes further than this (ie. the sudo case is also giving that read-
> write access to the remote user running the backup command).  I'd  
> want to
> give this some careful thought before choosing.
> There's also the possibility of combining the two ideas.  The remote  
> user
> logs into a local non-root user.  This is done using a key pair, and  
> the
> local user has no password (so no password attacks on the local user
> account).  The key pair, via authorized_keys2, has access only to the
> "sudo rsync" command.

You may also want to consider a wrapper script to limit what the private
key allows access to on the machine which you are backing up.

Details on this procedure and also an example wrapper script are  
available from the following URL :

Good luck.

More information about the rsync mailing list