Paul Slootman via rsync <rsync at lists.samba.org> wrote:> On Tue 03 Aug 2021, Chris Green via rsync wrote: > > > Is there a way to copy (for example) the /etc hierarchy from one > > system to another preserving root ownership of files and without > > revealing root passwords all over the place? > > Best way is to run an rsync daemon on the source system, and be sure to > use "uid = 0" so that the daemon reads the source as root. > > > So, it's easy for the sending end to be run as root as it's going to be > > run by a script in /etc/cron.daily, so it can access all the files in > > /etc even if only readable by root. > > Hmm I prefer to use "pull" mechanisms as that's more secure (harder to > screw up the destination). > > So create a /etc/rsyncd.conf file with the appropriate config, something > like: > > [etc] > path = /etc > read only = yes > hosts allow = another-system > uid = 0 > > If using systemd then enable and start the daemon: > > systemctl enable rsync.service > systemctl start rsync.service > > Then on another-system as root run rsync: > > rsync -a one-system::etc/ /backups/etc/ > > I usually also use -H for hard links, but /etc usually won't have those. > > You can also use an rsync password to make this a bit more secure so > that not everyone on another-system can read all of /etc from > one-system. Details in the manpage. >I already have an rsync daemon server running elsewhere, I can add this requirement to that I think. Thank you. -- Chris Green ?
On 2021/08/03 07:09, Chris Green via rsync wrote:> I already have an rsync daemon server running elsewhere, I can add > this requirement to that I think. Thank you. >---- It seems to me, a safer bet would be to generate an ssh-cert that allows a passwdless login from your sys to the remote. Then "export RSYNC_RSH=ssh" on your source before running rsync (as root). I don't use an rsyncd on the remote. Try it in some sub-dir first. Don't cross fs boundaries, so like I use flags (for xfs->xfs) like: rsync -auvxHAXOW --del /usr/local/fonts/ remotesys:/usr/local/fonts/ pathnames are finicky. While this pair works: aa/dir/ (->) bb/dir/ and I think this one does: aa/dir bb/ there are more that aren't reliable but may work occasionally (like work 1st time, but not 2nd...). Some examples: aa/dir/ bb/dir aa/dir/. bb/dir/. aa/dir bb aa/dir/ bb/ then do your rsync as normal run rsync as root to the remote as normal. Passwordless ssh logins are used where remote root and remote-passworded logins are forbidden, since with a strong key, there is no password to crack. Since you may not want remote login directly to root, you might prohibit use of passwords for root (forcing use of a secure key). There can be many caveats, so try on smaller, backed up fs's first... If you have room, transfer to a tmpdir then move into place. Good luck...