rsync - Mar 2022 - Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

Rsync includes a script named rrsync that handles this perfectly.

On 3/12/22 01:08, Richard Hector via rsync wrote:
> On 12/03/22 18:38, Richard Hector via rsync wrote:
>> And I do my backups (using dirvish) as root, using a key with a forced 
>> command.
> 
> FWIW, that forced command is here:
> 
> https://github.com/rwhector/dirvish-forced-command
> 
> It's rather unpolished and undocumented, but comments very welcome :-)
> 
> I've also had an issue due to some server-side-only arguments to rsync 
> being undocumented, which means I can't validate them, and basically 
> have to accept anything ... I'd love to know why this is or has to be 
> the case :-) I didn't get any particularly useful answers back in 
> January 2019 ...
> 
> Cheers,
> Richard
> 
-- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			https://sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync <rsync at
lists.samba.org>
wrote:
> Rsync includes a script named rrsync that handles this perfectly.
>
And authprogs provides similar functionality, though you use yaml to define
what is/isn't allowed. However it does allow you to use one SSH identity
for potentially many different source dirs rather than requiring a separate
authorized_key entry for each forced command.

example:

- rule_type: rsync
      allow_donwload: true
      allow_recursive: true
      paths:
        - /etc
        - /srv/freezeray
      path_startswith:
        - /srv/web

https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules



>
> On 3/12/22 01:08, Richard Hector via rsync wrote:
> > On 12/03/22 18:38, Richard Hector via rsync wrote:
> >> And I do my backups (using dirvish) as root, using a key with a
forced
> >> command.
> >
> > FWIW, that forced command is here:
> >
> > https://github.com/rwhector/dirvish-forced-command
> >
> > It's rather unpolished and undocumented, but comments very welcome
:-)
> >
> > I've also had an issue due to some server-side-only arguments to
rsync
> > being undocumented, which means I can't validate them, and
basically
> > have to accept anything ... I'd love to know why this is or has to
be
> > the case :-) I didn't get any particularly useful answers back in
> > January 2019 ...
> >
> > Cheers,
> > Richard
> >
>
> --
>
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>         Kevin Korb                      Phone:    (407) 252-6853
> <http://voice.google.com/calls?a=nc,%2B14072526853>
>         Systems Administrator           Internet:
>         FutureQuest, Inc.               Kevin at FutureQuest.net  (work)
>         Orlando, Florida                kmk at sanitarium.net (personal)
>         Web page:                       https://sanitarium.net/
>         PGP public key available on web site.
>
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>
> --
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>

-- 
Bri Hatch

"Quite mad, they say. It is good that Zathras does not mind. He's even
grown
 to like it. Oh yes."
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20220311/65e18d39/attachment.htm>

It may do the job; it doesn't AFAIK explain why the options are 
undocumented :-)

Cheers,
Richard

On 12/03/22 19:22, Kevin Korb via rsync wrote:
> Rsync includes a script named rrsync that handles this perfectly.
> 
> On 3/12/22 01:08, Richard Hector via rsync wrote:
>> On 12/03/22 18:38, Richard Hector via rsync wrote:
>>> And I do my backups (using dirvish) as root, using a key with a 
>>> forced command.
>>
>> FWIW, that forced command is here:
>>
>> https://github.com/rwhector/dirvish-forced-command
>>
>> It's rather unpolished and undocumented, but comments very welcome
:-)
>>
>> I've also had an issue due to some server-side-only arguments to
rsync
>> being undocumented, which means I can't validate them, and
basically
>> have to accept anything ... I'd love to know why this is or has to
be
>> the case :-) I didn't get any particularly useful answers back in 
>> January 2019 ...
>>
>> Cheers,
>> Richard
>>
>