On Tue, Aug 03, 2021 at 10:51:34AM +0000, Andy Smith via rsync <rsync@lists.samba.org> wrote:
> Hi Chris, > > On Tue, Aug 03, 2021 at 09:48:37AM +0100, Chris Green via rsync wrote: > > But how do you handle the other end to restore the root ownership etc.? > > The script has to do something like:- > > > > rsync -a /etc/ chris@remote:backups/etc/ > > > > So at the remote end it only has chris' privileges. > > A couple of options: > > > https://strugglers.net/~andy/blog/2021/04/10/rsync-and-sudo-without-x-forwarding/ > > Since you want to automate it I'd go with letting root log in by ssh > key only, and force the key to work only with a specific script. > > Here is an example forced command that only allows rsync > > https://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/ > > This is still vulnerable to doing anything that rsync can do. You > can secure it further by making a script that only does the specific > things you need rsync to do, e.g. the exact parameters and paths, > and force that script instead. > > Cheers, > Andy An easy way to restrict rsync (or anything else that operates over ssh) to only the precise commands you need it to do, without allowing it free reign, is my sshdo program (https://github.com/raforg/sshdo). You can use it to learn what rsync is doing, then lock it down to only what it has seen happen and nothing else. That might help. cheers, raf -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html