# how to use rrsync to make secure backups ## setup copy rrsync script to `/usr/local/bin`: ``` sudo cp /usr/share/rsync/scripts/rrsync /usr/local/bin/ sudo chmod +x /usr/local/bin/rrysnc ``` There is an option in the SSHD configuration file for allowing root logins only with the command parameter set. This allows a client to login to the server as root if they have a key in root's authorized_keys, but only if that key has the "`command`" parameter set. To activate this option, set the following option in `/etc/ssh/sshd_config`: ``` PermitRootLogin forced-commands-only ``` And don't forget to reload SSH daemon: ``` sudo systemctl reload sshd ``` ## usage The usage of rrsync is: ``` rrsync [-ro|-wo] SUBDIR ``` rrsync can be restricted to read-only mode by the `-ro` flag, or write-only mode by the `-wo` flag. The subdir argument sets the directory that rrsync is restricted to. Rrsync will not be allowed to read or write from anywhere other than that directory. To add a command directive to an authorized key, simply include the directive '`command="my_command"`' in front of the rest of the key on that line in the authorized_keys file. For example, so add a key that is restricted to only being able to run rrsync in read-only mode on the directory `/foo`, you would add the following command directive in front of the key: ``` command="rrsync -ro /foo" ``` When a remote client attempts to use this key to run a command on the host, the `command` directive causes SSHD to ignore any commands sent by the client, and execute the actions specified in the `command` directive instead. Rrsync will then be able to parse your attempted rsync command, and execute it if it determines that it is an allowed action. Note that any remote directories in the client's rsync command must be specified *relative to the subdirectory* specified in the `command` directive. For example, if a client wants to pull the contents of the directory `/foo/bar` on the server to the same directory on the client using the key from the example above, they would run the command: ``` rsync -av server:bar/ /foo/bar/ ```