Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
Bri Hatch
bri at ifokr.org
Sat Mar 12 06:36:49 UTC 2022
On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync <rsync at lists.samba.org>
wrote:
> Rsync includes a script named rrsync that handles this perfectly.
>
And authprogs provides similar functionality, though you use yaml to define
what is/isn't allowed. However it does allow you to use one SSH identity
for potentially many different source dirs rather than requiring a separate
authorized_key entry for each forced command.
example:
- rule_type: rsync
allow_donwload: true
allow_recursive: true
paths:
- /etc
- /srv/freezeray
path_startswith:
- /srv/web
https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules
>
> On 3/12/22 01:08, Richard Hector via rsync wrote:
> > On 12/03/22 18:38, Richard Hector via rsync wrote:
> >> And I do my backups (using dirvish) as root, using a key with a forced
> >> command.
> >
> > FWIW, that forced command is here:
> >
> > https://github.com/rwhector/dirvish-forced-command
> >
> > It's rather unpolished and undocumented, but comments very welcome :-)
> >
> > I've also had an issue due to some server-side-only arguments to rsync
> > being undocumented, which means I can't validate them, and basically
> > have to accept anything ... I'd love to know why this is or has to be
> > the case :-) I didn't get any particularly useful answers back in
> > January 2019 ...
> >
> > Cheers,
> > Richard
> >
>
> --
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
> Kevin Korb Phone: (407) 252-6853
> <http://voice.google.com/calls?a=nc,%2B14072526853>
> Systems Administrator Internet:
> FutureQuest, Inc. Kevin at FutureQuest.net (work)
> Orlando, Florida kmk at sanitarium.net (personal)
> Web page: https://sanitarium.net/
> PGP public key available on web site.
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>
> --
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>
--
Bri Hatch
"Quite mad, they say. It is good that Zathras does not mind. He's even grown
to like it. Oh yes."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20220311/65e18d39/attachment.htm>
More information about the rsync
mailing list