How to manage root<-->root rsync keeping permissions?
raf
rsync at raf.org
Tue Aug 3 22:20:06 UTC 2021
On Tue, Aug 03, 2021 at 10:51:34AM +0000, Andy Smith via rsync <rsync at lists.samba.org> wrote:
> Hi Chris,
>
> On Tue, Aug 03, 2021 at 09:48:37AM +0100, Chris Green via rsync wrote:
> > But how do you handle the other end to restore the root ownership etc.?
> > The script has to do something like:-
> >
> > rsync -a /etc/ chris at remote:backups/etc/
> >
> > So at the remote end it only has chris' privileges.
>
> A couple of options:
>
> https://strugglers.net/~andy/blog/2021/04/10/rsync-and-sudo-without-x-forwarding/
>
> Since you want to automate it I'd go with letting root log in by ssh
> key only, and force the key to work only with a specific script.
>
> Here is an example forced command that only allows rsync
>
> https://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/
>
> This is still vulnerable to doing anything that rsync can do. You
> can secure it further by making a script that only does the specific
> things you need rsync to do, e.g. the exact parameters and paths,
> and force that script instead.
>
> Cheers,
> Andy
An easy way to restrict rsync (or anything else that
operates over ssh) to only the precise commands you
need it to do, without allowing it free reign, is my
sshdo program (https://github.com/raforg/sshdo). You
can use it to learn what rsync is doing, then lock it
down to only what it has seen happen and nothing else.
That might help.
cheers,
raf
More information about the rsync
mailing list