Automating Backups
I would like to implement a backup solution which copies data from various directories from a Web server (WebServer) to a local backup server (BackupServer). The backup should run unattended and therefore I would like to use a key based authentication with a passwordless private key.
Privileged Rsync
The directories I want to backup are only readable by a privileged user. I would like to use rsync to copy the files. I created a dedicated backup-user and allow the user to execute rsync with sudo without being prompted for a password with the visudo rule:
backup-user ALL = NOPASSWD: /usr/bin/rsync Security Considerations
I would like to improve security by restricting the commands the backup user can execute by adding a list of commands to the authorized_keys file of the WebServer. I installed rrsync as mentioned in this post.
command="/usr/bin/rrsync",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAA134143NzaC1yc... Rrsync expects a subdirectory
In contrast to the normal rsync, the rrsync expects a subdirectory to be provided in the authorized key file, as described in this blog post
command="/usr/share/rsync/rrsync /var/backup/client1/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa This restriction works but it only allows me to backup one specific directory namely the /var/backup/client1/
I would like to provide the directories I want to backup from the BackupServer in the rsync command. Is there a possibility to use rrsync exactly like rsync, e.g.:
rsync -avze ssh --rsync-path='sudo rrsync' [email protected]:/media/data /backups/Server/ Additional Clarification
I am aware that the command="..." part in authorized_hosts does limit the executable commands for this user to exactly the ones provided, but with the normal rsync, I can do something like this to provide the path I want to backup as a parameter:
command="/usr/bin/rsync --server --sender -vlogDtpre.is . ${SSH_ORIGINAL_COMMAND//* \//\/}" This does not work with rrsync.
Accepted Solution
Although technically not the definitive answer to the question, I think the solution posted by Gilles is a very nice approach. I created a root folder for all the views of the actual directory that I want to backup. For this reason I can safely restrict the authentication to rrsync only.
One time todo sudo mkdir /mnt/Backups-Rsync-Readonly sudo chown -R rsync-backup /mnt/Backups-Rsync-Readonly sudo mkdir /mnt/Backups-Rsync-Readonly/VAR-WWW sudo mkdir /mnt/Backups-Rsync-Readonly/MySQL-Backups sudo setfacl -m u:rsync-backup:rx /mnt/Backups-Rsync-Readonly/ sudo setfacl -m u:rsync-backup:rx /mnt/Backups-Rsync-Readonly/MySQL-Backups sudo setfacl -m u:rsync-backup:rx /mnt/Backups-Rsync-Readonly/VAR-WWW Create views (gone after reboot)
sudo bindfs -o perms=0000:u=rD,force-user=rsync-backup /var/www /mnt/Backups-Rsync-Readonly/VAR-WWW sudo bindfs -o perms=0000:u=rD,force-user=rsync-backup /MySQL-Dumps /mnt/Backups-Rsync-Readonly/MySQL-Backups Fstab version
/home/stefan/Scans /mnt/Backups-Rsync-Readonly/VAR-WWW fuse.bindfs perms=0000:u=rD,force-user=rsync-backup 0 0 Authorized_keys
command="/usr/bin/rrsync -ro /mnt/Backups-Rsync-Readonly",from="192.168.0.10",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB 
command=option inauthorized_keysaccepts only one command that is run. That is it.