Ssh – Give user permissions to all files and folders

backuppermissionsrsyncssh

I want to have a user who has access to all the files and folders on the system. This is for the purpose of using RSYNC on a local machine to backup a remote machine.

At the moment we are using the user backups and although we have added this user to the groups sudo and admin rsync still returns messages like:

rsync: opendir "/location/to/folder" failed: Permission denied (13)

rsync: send_files failed to open "/location/to/file": Permission denied (13)

Any idea how we give the user backups permission to access everything (short of adding the user to all groups ever – the remote server we are trying to backup is a dedicated hosting server where every account has its own user on the system).

Thanks for any help.

Best Answer

Just adding the user backups to the user group sudo does not automatically give the account access to all files on the system. It gives the user the permission to run the sudo command.

Since you are using public key authentication (presumably without a passphrase), I would approach this with security and ease of implementation in mind. Using ssh allows you to restrict the user to execute only very specific commands. In this case, you can allow the user backups to execute rsync with superuser permissions.

You have already performed the key exchange and verified authentication is successful. In the authorized_keys file on the remote host that you are backing the /home directory from, you can add a command= directive to the key that is used by the user backups. This directive will only allow that command to be run when that key is used for authentication. So the first field of the key would look similar to this:

command="/path/to/sudo /path/to/rsync -az /home /local/folder" ssh-rsa AAAAB3NzaC1yblahblahblah

You can go even further and add more options to the key, such as from=myhost,no-pty,no-X11-forwarding.

This should give you decent security and not require you to modify the underlying file system permissions. You will probably need to play with the command that you place in the authorized_keys file until it works like you expect; it may take a bit to wrap your brain around it. The command specified in the authorized_keys will basically override the rsync options you will pass from the connecting host.

Lots of good information in man sshd. You want to specifically read the AUTHORIZED_KEYS FORMAT section.

Related Question