Using rsync to mirror directories where root owns file, using non-root user to initiate session

Kevin Korb kmk at sanitarium.net
Wed Jun 20 21:40:57 MDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/20/12 21:53, Karl O. Pinc wrote:
> On 06/20/2012 05:29:09 PM, Kevin Korb wrote:
>> http://www.sanitarium.net/rsyncfaq/#sudo
> 
> Along these lines...
> 
> Somehow or another you need root access on the remote side in order
> to properly set permissions. You can use ssh public keys to invoke
> a rsync daemon. In /root/.ssh/authorized_keys you put the public
> key on a line like:

Not permissions, ownership.  Only root can create or modify files with
arbitrary ownership and only root can change the ownership of a file.
 This is the basic *nix file security model.  It has nothing to do
with rsync other than rsync being constrained to it.

> no-pty,command="rsync --server --daemon ." ssh-dss ....
> 
> This allows someone with the private key on the local end to run a
> remote rsync server as root.  To invoke on the client side see the
> rsync man page section: USING RSYNC-DAEMON FEATURES VIA A
> REMOTE-SHELL CONNECTION

This is what rrsync can accomplish.  It is designed to allow rsync
access only to a specific directory even when running as root.

> rsync -av -e "ssh -l ssh-user" rsync-user at host::module /dest

Now you are talking rsyncd over ssh. Still as root.  The benefit is
minimal at best.

> In addition to no-pty you may also wish to use no-agent-forwarding,
> no-port-forwarding, no-user-rc, no-X11-forwarding and, possibly,
> from="pattern-list".

agreed

> The problem with the above is that the remote end does run as root,
> so you're relying on your remote rsync config to keep the user from
> doing bad things on the remote end.
> 
> See also the rrsync script in the rsync examples directory.  rrsync
> can be used as the command= value instead of the above rsync
> command.

Yes, see rrsync.  It is in the support directory of the rsync source
code.

Also see --fake-super which allows you to store super user features
like file ownership in the file extended attributes instead of in the
filesystem.  Therefore root isn't required.

> 
>> 
>> On 06/20/12 18:26, PEOPLES, MICHAEL P wrote:
>>> I have spent a day researching and attempting to debug this
>>> issue. I am hoping someone can tell me how (or disabuse me of
>>> the delusion that it's possible) to do the following:
>>> 
>>> - Mirror the contents of a directory on one server to a remote 
>>> server where there are diverse ownership and permissions
>>> 
>>> - File and directory ownership on both the source and
>>> destination servers would normally prevent the user account
>>> initiating the rsync session from accessing, modifying, or
>>> changing attributes of the files and directories in question
>>> 
>>> - Session authentication of the initiating user on the remote 
>>> server must be by public key
>>> 
>>> - No root logins are permitted on either server
>>> 
>>> I can successfully transfer the files with the user account,
>>> but if the files have ownership attributes that need to be set
>>> on the remote (destination) server, using the --owner, --group,
>>> and/or --perms options produces errors indicating the
>>> "Operation is not permitted".  When logged into the remote
>>> server as the user, I still cannot modify the attributes, only
>>> root (super user) can do this.  The "--super" command line
>>> option appears to have no effect.
>>> 
>>> Both servers are Red Hat Linux.  I am using rsync 3.0.9.
>>> 
>>> The only way I can conceive of doing this would be to record
>>> the file attributes, transfer the files (along with a record of
>>> their attributes), then run a script using sudo that would move
>>> the files into their final location and set the attributes.
>>> This, however, would seem to defeat much of the purpose of
>>> rsync.
>>> 
>>> The manuals suggest there is a way to invoke super user 
>>> functionality when contacting a daemon instance, but I could
>>> not get this to work.  However, this appears to require
>>> contacting an rsync daemon started by root.  Attempting to
>>> perform the rsync, while simultaneously using the public key,
>>> which can only be used when "ssh" is invoked, seems to exclude
>>> the use of the daemon on the remote side, effectively running
>>> the entire rsync session as the user without elevated
>>> privileges.
>>> 
>>> In short, I want to copy files from one server to another, and
>>> have all ownership and permissions preserved (including root),
>>> using rsync to perform "privileged" operations to set file
>>> attributes properly and a public key to authenticate the user.
>>> 
>>> Thanks.
>>> 
>>> 
>>> Michael Peoples (mp4783) Senior Systems Manager AT&T - ATTSI 
>>> Office/Cell:  614-886-0923 
>>> mpeoples at att.com<mailto:mpeoples at att.com>
>>> 
>>> This e-mail and any files transmitted with it are AT&T
>>> property, are confidential, and are intended solely for the use
>>> of the individual or entity to whom this email is addressed. If
>>> you are not one of the named recipient(s) or otherwise have
>>> reason to believe that you have received this message in error,
>>> please notify the sender and delete this message immediately
>>> from your computer. Any other use, retention, dissemination,
>>> forwarding, printing, or copying of this e-mail is strictly
>>> prohibited."
>>> 
>>> 
>>> 
>> 
>> -- ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,- 
>> *~'`^`'~*-,._.,-*~ Kevin Korb			Phone:    (407) 252-6853 Systems
>> Administrator		Internet: FutureQuest, Inc.		Kevin at FutureQuest.net
>> (work) Orlando, Florida		kmk at sanitarium.net (personal) Web page:
>> http://www.sanitarium.net/ PGP public key available on web site. 
>> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,- 
>> *~'`^`'~*-,._.,-*~
>> 
> 
> 
> 
> 
> Karl <kop at meme.com> Free Software:  "You don't pay back, you pay
> forward." -- Robert A. Heinlein
> 

- -- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/il8kACgkQVKC1jlbQAQe4UwCg0JZA1euJZ7Jlm6gVokL06+Of
P58AoN0n4xnBP18ApCry2YQaWENYR331
=0hcI
-----END PGP SIGNATURE-----

More information about the rsync mailing list