Re: [BackupPC-users] [newb] ssh rsync with restricted permissions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 03/18 06:46 , Neal Becker wrote:
> I'm interested in setting up linux->linux backup.  I don't like the idea of 
> giving permission for machine1 as user backup to ssh to machine2 as root.  What 
> are the options?
> 
> 1. Can ssh be restricted so that the only command user backup can run is rsync?

Create a new user for backuppc to log in as. I typically use 'rsyncbakup'.
In your ~rsyncbakup/.ssh/authorized_keys file, try something like this:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="sudo /usr/bin/rsync --server --sender -logDtpr --exclude='/proc/*' --exclude='/mnt/*' --exclude='/sys/*' --exclude='/tmp/*' --exclude='/var/tmp/*' --exclude='/var/cache/apt/archives/*' --exclude='/var/log/*' --delete --numeric-ids --block-size=2048 . /" ssh-dss AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ho...@ex...

> 2. Is there an easy way (using acls?) to give a user backup read access to 
> everything (probably not)

in /etc/sudoers:
rsyncbakup ALL= NOPASSWD: /usr/bin/rsync

You will also need to set this in your /etc/backuppc/config.pl, or in the per-host config
file for each host you want to back up this way:

$Conf{RsyncClientCmd} = '$sshPath -q -x -l rsyncbakup $host $rsyncPath $argList+';

-- 
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com