BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BackupPC-users] [newb] ssh rsync with restricted permissions

2011-03-21 08:53:25
Subject: Re: [BackupPC-users] [newb] ssh rsync with restricted permissions
From: Carl Wilhelm Soderstrom <chrome AT real-time DOT com>
To: "General list for user discussion, questions and support" <backuppc-users AT lists.sourceforge DOT net>
Date: Mon, 21 Mar 2011 07:51:06 -0500 
On 03/18 06:46 , Neal Becker wrote:
> I'm interested in setting up linux->linux backup.  I don't like the idea of 
> giving permission for machine1 as user backup to ssh to machine2 as root.  
> What 
> are the options?
> 
> 1. Can ssh be restricted so that the only command user backup can run is 
> rsync?

Create a new user for backuppc to log in as. I typically use 'rsyncbakup'.
In your ~rsyncbakup/.ssh/authorized_keys file, try something like this:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="sudo 
/usr/bin/rsync --server --sender -logDtpr --exclude='/proc/*' 
--exclude='/mnt/*' --exclude='/sys/*' --exclude='/tmp/*' --exclude='/var/tmp/*' 
--exclude='/var/cache/apt/archives/*' --exclude='/var/log/*' --delete 
--numeric-ids --block-size=2048 . /" ssh-dss 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
 host AT example DOT com

> 2. Is there an easy way (using acls?) to give a user backup read access to 
> everything (probably not)

in /etc/sudoers:
rsyncbakup ALL= NOPASSWD: /usr/bin/rsync


You will also need to set this in your /etc/backuppc/config.pl, or in the 
per-host config
file for each host you want to back up this way:

$Conf{RsyncClientCmd} = '$sshPath -q -x -l rsyncbakup $host $rsyncPath 
$argList+';


-- 
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BackupPC-users] host resolution problem, Tyler J. Wagner
Next by Date:  [BackupPC-users] almost have stats?, Scott
Previous by Thread:  Re: [BackupPC-users] [newb] ssh rsync with restricted permissions, gregwm
Next by Thread:  [BackupPC-users] [newb] BackupFilesOnly?, Neal Becker
Indexes:  [Date] [Thread] [Top] [All Lists]