Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

Bri Hatch bri at ifokr.org
Sat Mar 12 06:36:49 UTC 2022 

On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync <rsync at lists.samba.org>
wrote:

> Rsync includes a script named rrsync that handles this perfectly.
>

And authprogs provides similar functionality, though you use yaml to define
what is/isn't allowed. However it does allow you to use one SSH identity
for potentially many different source dirs rather than requiring a separate
authorized_key entry for each forced command.

example:

- rule_type: rsync
      allow_donwload: true
      allow_recursive: true
      paths:
        - /etc
        - /srv/freezeray
      path_startswith:
        - /srv/web

https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules




>
> On 3/12/22 01:08, Richard Hector via rsync wrote:
> > On 12/03/22 18:38, Richard Hector via rsync wrote:
> >> And I do my backups (using dirvish) as root, using a key with a forced
> >> command.
> >
> > FWIW, that forced command is here:
> >
> > https://github.com/rwhector/dirvish-forced-command
> >
> > It's rather unpolished and undocumented, but comments very welcome :-)
> >
> > I've also had an issue due to some server-side-only arguments to rsync
> > being undocumented, which means I can't validate them, and basically
> > have to accept anything ... I'd love to know why this is or has to be
> > the case :-) I didn't get any particularly useful answers back in
> > January 2019 ...
> >
> > Cheers,
> > Richard
> >
>
> --
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>         Kevin Korb                      Phone:    (407) 252-6853
> <http://voice.google.com/calls?a=nc,%2B14072526853>
>         Systems Administrator           Internet:
>         FutureQuest, Inc.               Kevin at FutureQuest.net  (work)
>         Orlando, Florida                kmk at sanitarium.net (personal)
>         Web page:                       https://sanitarium.net/
>         PGP public key available on web site.
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>
> --
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>


-- 
Bri Hatch

"Quite mad, they say. It is good that Zathras does not mind. He's even grown
 to like it. Oh yes."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20220311/65e18d39/attachment.htm>

More information about the rsync mailing list