Is there a way to copy (for example) the /etc hierarchy from one
system to another preserving root ownership of files and without
revealing root passwords all over the place?
This is actually from and to Debian based systems (from Raspberry Pi
to Xubuntu) so there's no actual root user login anyway, it's all sudo
from privileged user.
So, it's easy for the sending end to be run as root as it's going to be
run by a script in /etc/cron.daily, so it can access all the files in
/etc even if only readable by root.
But how do you handle the other end to restore the root ownership etc.?
The script has to do something like:-
rsync -a /etc/ chris at remote:backups/etc/
So at the remote end it only has chris' privileges.
I want to automate this, I don't want any manual intervention to be
needed.
--
Chris Green
?
Chris Green via rsync <rsync at lists.samba.org> wrote:> Is there a way to copy (for example) the /etc hierarchy from one > system to another preserving root ownership of files and without > revealing root passwords all over the place? > > This is actually from and to Debian based systems (from Raspberry Pi > to Xubuntu) so there's no actual root user login anyway, it's all sudo > from privileged user. > > So, it's easy for the sending end to be run as root as it's going to be > run by a script in /etc/cron.daily, so it can access all the files in > /etc even if only readable by root. > > But how do you handle the other end to restore the root ownership etc.? > The script has to do something like:- > > rsync -a /etc/ chris at remote:backups/etc/ > > So at the remote end it only has chris' privileges. > > > I want to automate this, I don't want any manual intervention to be > needed. >If I used the --super option (in a command like the one above) and chris can run rsync as root on the remote end (via options in the sudoers file) will this do what I want? I guess I can go away and try it! :-) -- Chris Green ?
Hi Chris, On Tue, Aug 03, 2021 at 09:48:37AM +0100, Chris Green via rsync wrote:> But how do you handle the other end to restore the root ownership etc.? > The script has to do something like:- > > rsync -a /etc/ chris at remote:backups/etc/ > > So at the remote end it only has chris' privileges.A couple of options: https://strugglers.net/~andy/blog/2021/04/10/rsync-and-sudo-without-x-forwarding/ Since you want to automate it I'd go with letting root log in by ssh key only, and force the key to work only with a specific script. Here is an example forced command that only allows rsync https://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/ This is still vulnerable to doing anything that rsync can do. You can secure it further by making a script that only does the specific things you need rsync to do, e.g. the exact parameters and paths, and force that script instead. Cheers, Andy
On Tue 03 Aug 2021, Chris Green via rsync wrote:> Is there a way to copy (for example) the /etc hierarchy from one > system to another preserving root ownership of files and without > revealing root passwords all over the place?Best way is to run an rsync daemon on the source system, and be sure to use "uid = 0" so that the daemon reads the source as root.> So, it's easy for the sending end to be run as root as it's going to be > run by a script in /etc/cron.daily, so it can access all the files in > /etc even if only readable by root.Hmm I prefer to use "pull" mechanisms as that's more secure (harder to screw up the destination). So create a /etc/rsyncd.conf file with the appropriate config, something like: [etc] path = /etc read only = yes hosts allow = another-system uid = 0 If using systemd then enable and start the daemon: systemctl enable rsync.service systemctl start rsync.service Then on another-system as root run rsync: rsync -a one-system::etc/ /backups/etc/ I usually also use -H for hard links, but /etc usually won't have those. You can also use an rsync password to make this a bit more secure so that not everyone on another-system can read all of /etc from one-system. Details in the manpage. Paul