Linux – Restrict rsync over ssh read only / only copy from remote host

backuplinuxrsync

I want a backup host to be able to pull backups from a remote host.

The backup host uses ssh key authentication to authenticate as a restricted user on the remote host, this user is restricted to the rsync command using the authorized_key file.

/etc/sudoers allows the user to execute rsync as superuser.

The backup host should logically only be able to read files / copy files from the remote host, not write files / copy files to the remote host, as it could easily compromise the remote host by overwriting /etc/passwd or just tamper with the files if it were compromised itself.

How can I achieve this? I already read about rrsync, but didn't see an option which allowed this.

Best Answer

The -ro flag of rrsync ensures that rsync is called with the --sender option, which should, according to the rrsync documentation, ensure that files can only be read - however, I could not find a authoritive source (aka rsync documentation) which confirms that. In my tests, it was sufficient to prevent writes to the server.

Related Solutions

Rsync in Daemon-Over-SSH Mode – Troubleshooting

There seems to be a bug in the documentation or the implimentation of rsync. man rsync says:

Rsync supports connecting to a host using a remote shell and then spawning a single-use “daemon” server that expects to read its config file in the home dir of the remote user.

but when connecting to root, according to /var/log/messages, it was looking in /etc/rsyncd.conf for the config file (the standard location for an rsyncd.conf file when not used over SSH.

I had to force the ssh server to use the right config file by adding

command="rsync --config=/root/rsyncd.conf --server --daemon ."

to /root/.ssh/authorized_keys.

The reason I didn't just put the config in the default location is that I didn't want someone to accidentally start a normal rsync daemon - I only want a daemon to have this much access when it has got the correct ssh key.

Windows rsync user – Permission denied

Your understanding of how "Backup Operators" interacts with NTFS permissions is flawed. Members of the "Backup Operators" group can read / write bypassing permissions, but only through specific backup API functions that rsync isn't using.

Rsync uses "normal" filesystem API functions, so the user rsync runs as is going to have to have access to read every file you intend to back up. There's no way around it w/o changing code in rsync.

Depending on how you've architected your permission hierarchies you may be able to add another ACE to your permissions for your rsync user (ideally, a group that the rsync user is a member of-- perhaps the only member-- rather than a user) to read the files. If you've blocked permission inheritance (which Microsoft doesn't seem to discourage strongly enough for just this kind of reason) then you've got a mess and you'll have to grant that permission at every root of permission inheritance along the hierarchy.

If your existing permission hierarchies already contain a suitable group (like, say, "Administrators"), you could take the seductive shortcut of adding the rsync user to the "Administrators" group. Obviously, a bug in rsync that allows an unprivileged user to execute code in the rsync user's context would be very, very bad such a case, so weigh the risks carefully.

Best Answer

Related Solutions

Rsync in Daemon-Over-SSH Mode – Troubleshooting

Windows rsync user – Permission denied

Related Topic