Rsync over ssh with root privileges

Kevin Korb kmk at sanitarium.net
Mon Jul 23 10:17:58 MDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The syntax is explained here: http://sanitarium.net/rsyncfaq/#sudo
Even though I wrote that particular FAQ entry I have never actually
tried it as I think it is a rather silly use of sudo.

> sudo rsync -avP --exclude 'proc' --exclude 'dev' --exclude 'tmp' 
> --exclude 'sys' --exclude 'mnt' --rsync-path='sudo rsync' -e "ssh
> -t -t -i /home/USER/.ssh/key" USER at SERVER:/  /mnt/backup/

My first though is that if you configure sudo to not require a
password and drop the -t -t in the ssh part it will probably work.

My second thought is that you would be far better off just doing the
ssh as root using a restricted key.  To do that I would suggest:
1. In the server's sshd_config set:
PermitRootLogin without-password
2. In the server's /root/.ssh/authorized_keys file:
from="hostname of your system","command=/path/to/rrsync -ro /" ssh-rsa
...........

This will allow the ssh key that you are using to only work from the
specified host name and to only be able to run rsync and in read-only
mode.  This will allow for the simple mirroring of a system which
appears to be what you are trying.  Note that if your distro doesn't
include rrsync with rsync it is a perl script that is in the support
directory of the rsync source tarball.

The without-password option sounds a bit scary but what it means is
that root is not allowed to log in via a password but only via keys
that have been authorized.

My third though is that if you are mirroring a system you probably
want --hard-links and you might want --numeric-ids.

And my final thought is that if you want backups instead of just
simple mirroring then look into --link-dest.

On 07/23/12 03:53, Stayvoid wrote:
> Kevin,
> 
>> Since you are using sudo on the remote end have you configured it
>> to not require a password for that user to run rsync?
> 
> No, I haven't. Could you tell me how to do it?
> 
> And what about the syntax? Is it ok?

- -- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlANeTYACgkQVKC1jlbQAQfyMgCg5tHSIE7hnWjX1tndqHRK3iMS
U0wAn3n7zME16E2H5KmktLuazM1a65qg
=Gabx
-----END PGP SIGNATURE-----

More information about the rsync mailing list