Automating Backups
I would like to implement a backup solution with copies data from various directories from a Web server (WebServer) to a local backup server (BackupServer). The backup should run unattended and therefore I would like to use a key based authentication with a passwordless private key.
Privileged Rsync
The directories I want to backup are only readable by a privileged user. I would like to use rsync to copy the files. I created a dedicated backup-user and allow the user to execute rsync with sudo without being prompted for a password with the visudo rule:
backup-user ALL = NOPASSWD: /usr/bin/rsync
Security Considerations
I would like to improve security by restricting the commands the backup user can execute by adding a list of commands to the authorized_keys file of the WebServer. I installed rrsync as mentioned in this post.
command="/usr/bin/rrsync",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAA134143NzaC1yc...
Rrsync expects a subdirectory
In contrast to the normal rsync, the rrsync expects a subdirectory to be provided in the authorized key file, as described in this blog post
command="/usr/share/rsync/rrsync /var/backup/client1/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa
This restriction works but it only allows me to backup one specific directory namely the /var/backup/client1/
I would like to provide the directories I want to backup from the BackupServer in the rsync command. Is there a possibility to use rrsync exactly like rsync, e.g.:
rsync -avze ssh --rsync-path='sudo rrsync' backupuser@111.222.33.44:/media/data /backups/Server/
Additional Clarification
I am aware that the command="…" part in authorized_hosts does limit the executable commands for this user to exactly the ones provided, but with the normal rsync, I can do something like this to provide the path I want to backup as a parameter:
command="/usr/bin/rsync --server --sender -vlogDtpre.is . ${SSH_ORIGINAL_COMMAND//* \//\/}"
This does not work with rrsync.
Accepted Solution
Although technically not the definitice answer to the question, I think the solution posted by Gilles is a very nice approach. I created a root folder for all the views of the actual directory that I want to backup. For this reason I can safely restrict the authentication to rrsync only.
One time todo
sudo mkdir /mnt/Backups-Rsync-Readonly
sudo chown -R rsync-backup /mnt/Backups-Rsync-Readonly
sudo mkdir /mnt/Backups-Rsync-Readonly/VAR-WWW
sudo mkdir /mnt/Backups-Rsync-Readonly/MySQL-Backups
sudo setfacl -m u:rsync-backup:rx /mnt/Backups-Rsync-Readonly/
sudo setfacl -m u:rsync-backup:rx /mnt/Backups-Rsync-Readonly/MySQL-Backups
sudo setfacl -m u:rsync-backup:rx /mnt/Backups-Rsync-Readonly/VAR-WWW
Create views (gone after reboot)
sudo bindfs -o perms=0000:u=rD,force-user=rsync-backup /var/www /mnt/Backups-Rsync-Readonly/VAR-WWW
sudo bindfs -o perms=0000:u=rD,force-user=rsync-backup /MySQL-Dumps /mnt/Backups-Rsync-Readonly/MySQL-Backups
Fstab version
/home/stefan/Scans /mnt/Backups-Rsync-Readonly/VAR-WWW fuse.bindfs perms=0000:u=rD,force-user=rsync-backup 0 0
Authorized_keys
command="/usr/bin/rrsync -ro /mnt/Backups-Rsync-Readonly",from="192.168.0.10",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB
Best Answer
One possibility would be to create a read-only view of the directories you want that dedicated user to be able to back up, with bindfs. Do not use sudo at all; make
rrsyncthe only command that's allowed to this user. One-time setup:Setup after each boot:
Or corresponding lines in
/etc/fstab:Then set up the backup user to run
rsyncon/somewhere/backup-views.