Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
raf
rsync at raf.org
Sun Mar 13 02:02:41 UTC 2022
On Fri, Mar 11, 2022 at 10:36:49PM -0800, Bri Hatch via rsync <rsync at lists.samba.org> wrote:
> On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync <rsync at lists.samba.org>
> wrote:
>
> > Rsync includes a script named rrsync that handles this perfectly.
>
> And authprogs provides similar functionality, though you use yaml to define
> what is/isn't allowed. However it does allow you to use one SSH identity
> for potentially many different source dirs rather than requiring a separate
> authorized_key entry for each forced command.
>
> example:
>
> - rule_type: rsync
> allow_donwload: true
> allow_recursive: true
> paths:
> - /etc
> - /srv/freezeray
> path_startswith:
> - /srv/web
>
> https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules
And there's sshdo as well: https://github.com/raforg/sshdo
Like authprogs, it also works with any command, not just rsync.
And it almost configures itself with a learning mode to monitor
commands that need to be allowed. And it can relearn if commands
need to change over time, and unlearn old commands that are no
longer needed.
cheers,
raf
More information about the rsync
mailing list