Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
Wayne Davison
wayne at opencoder.net
Fri Mar 11 20:12:51 UTC 2022
On Fri, Mar 11, 2022 at 4:57 AM Dr. Mark Asbach via rsync <
rsync at lists.samba.org> wrote:
> b) Passing the password to sudo via stdin using --rsync-path "echo
> MYPASSWORD | sudo -S rsync" (see https://askubuntu.com/a/1155897).
In that ask-ubuntu example they are running a client rsync via sudo, not
the server side. The server requires the socket to be on stdin, so you
can't use stdin earlier on the command-line for something else.
One thing you could do is to create a custom askpass script that provides
the password on stdout. You must put that script on each remote system
because the SUDO_ASKPASS environment variable must only contain a program
name, so it will not allow a one-line remote invocation (i.e.
SUDO_ASKPASS="echo FOO" fails). For example, create a shell script named
something like echo-askpass:
#!/bin/sh
echo "$SUDO_PASS"
and then use this option to rsync:
--rsync-path "SUDO_ASKPASS=/path/echo-askpass SUDO_PASS=MYPASS sudo -A
rsync"
You could simplify that by moving those environment variables into your
ansible config, perhaps by grabbing the password out of the ansible vault
or having ansible prompt the user. That would let you run "sudo -A rsync"
and not have the password in the command. The ansible docs detail how to
set remote environment variables.
..wayne..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20220311/93630659/attachment.htm>
More information about the rsync
mailing list