mar
/
sysadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
How to set up/manage services on a computer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23 Commits
1 Branch
0 Tags
179 KiB
 
Tree: 27b29d20e6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '27b29d20e6'
${ noResults }
sysadmin/linux/system/rrsync.md

2.1 KiB
Raw Blame History

how to use rrsync to make secure backups

setup

copy the rrsync script to /usr/local/bin:

sudo cp /usr/share/rsync/scripts/rrsync /usr/local/bin/
sudo chmod +x /usr/local/bin/rrysnc

There is an option in the SSHD configuration file for allowing root logins only with the command parameter set. This allows a client to login to the server as root if they have a key in root's authorized_keys, but only if that key has the 'command' directive set.

To activate this option, add the following option to /etc/ssh/sshd_config:

PermitRootLogin forced-commands-only

And don't forget to reload the SSH daemon:

sudo systemctl reload sshd

usage

The usage of rrsync is:

rrsync [-ro|-wo] SUBDIR

rrsync can be restricted to read-only mode by the -ro flag, or write-only mode by the -wo flag. The subdir argument sets the directory that rrsync is restricted to. Rrsync will not be allowed to read or write from anywhere other than that directory.

To add a command directive to an authorized key, simply include the directive 'command="my_command"' in front of the rest of the key on that line in the authorized_keys file. For example, to add a key that is restricted to only being able to run rrsync in read-only mode on the directory /foo, you would add the following command directive in front of the key:

command="rrsync -ro /foo" <key>

When a remote client attempts to use this key to run a command on the host, the command directive causes SSHD to ignore any commands sent by the client, and execute the actions specified in the command directive instead. Rrsync will then be able to parse your attempted rsync command, and execute it if it determines that it is an allowed action.

Note that any remote directories in the client's rsync command must be specified relative to the subdirectory given in the command directive. For example, if a client wanted to pull the contents of the directory /foo/bar on the server to the same directory on the client using the key from the example above, they would run the command:

rsync -av server:bar/ /foo/bar/