rsync - Aug 2021 - How to manage root<-->root rsync keeping permissions?

On 2021/08/03 07:09, Chris Green via rsync wrote:
> I already have an rsync daemon server running elsewhere, I can add
> this requirement to that I think.  Thank you.
>   
----

It seems to me, a safer bet would be to generate an ssh-cert
that allows a passwdless login from your sys to the remote.

Then "export RSYNC_RSH=ssh" on your source before running
rsync (as root).

I don't use an rsyncd on the remote.  Try it in some sub-dir first.
Don't cross fs boundaries, so like I use flags (for xfs->xfs) like:

rsync -auvxHAXOW --del /usr/local/fonts/  remotesys:/usr/local/fonts/

pathnames are finicky.  While
  this pair works:
aa/dir/ (->) bb/dir/
  and I think this one does:
aa/dir bb/

   there are more that aren't reliable but may work occasionally
(like work 1st time, but not 2nd...). Some examples:

aa/dir/ bb/dir
aa/dir/. bb/dir/.
aa/dir bb
aa/dir/ bb/


then do your rsync as normal run rsync as root to the remote as normal.

Passwordless ssh logins are used where remote root and
remote-passworded logins are forbidden, since with a strong
key, there is no password to crack.  Since you may not want
remote login directly to root, you might prohibit use of passwords
for root (forcing use of a secure key).

There can be many caveats,  so try on smaller, backed up fs's first...
If you have room, transfer to a tmpdir then move into place.

Good luck...

L A Walsh via rsync <rsync at lists.samba.org>
wrote:
> On 2021/08/03 07:09, Chris Green via rsync wrote:
> > I already have an rsync daemon server running elsewhere, I can add
> > this requirement to that I think.  Thank you.
> >   
> ----
> 
> It seems to me, a safer bet would be to generate an ssh-cert
> that allows a passwdless login from your sys to the remote.
> 
The trouble with that is that it leaves a big security hole.

If (for example) I leave my laptop turned on somewhere, or someone
wanders into my study where my desktop machine is they have instant,
passwordless access to the remote backup machine.

I try very hard to make my backups secure from attack so that if my
desktop or laptop is compromised somehow the (remote) backups are
still secure.


The backup system that runs the rsync daemon has its rsync configured
with 'refuse options = delete' so not only does someone with access to
my desktop/laptop need to know the rsyncd username and password but
they also cannot delete my existing backups.  It runs incremental
backups so nothing is ever overwritten either.

-- 
Chris Green
?