How can make rsync use sudo

Question

I use rsync to mirror a number of folders on our failover server. However, some of our files, such as thumbnails or full-text indexes, are generated by our applications under the web user (named 'nobody'), and default to restrictive permissions.

Also, I'm doing this over ssh, where root access is disabled, and I'd like to keep it that way, if possible.

Is there any reasonable way I can tell rsync to run as sudo? Or should I look into changing the file permissions?

Answer 1

You can specify what to run as the remote rsync command via --rsync-path - e.g. something like this:

rsync --rsync-path='sudo rsync' --blah --blah /src blah@dest:/dst

Answer 2

you could:

1. create a new group for data that should be read (by rsync), add UIDs to that group and/or change GIDs on files and directories and set appropriate permissions, that'll let you use rsync with that username
2. get the exact command line run at the server end when using rsync-over-ssh (hint, use -v multiple times and remember to take the '-v's out of the command line you get) and use SSH public key authentication forcing that specific command (see AUTHORIZED_KEYS FILE FORMAT in sshd(8))

With #2 you could use rsync over ssh to the root user and still be secure (see PermitRootLogin no-password in sshd_config(5)), or even better you could combine the two to create a non-privileged user which can only be used with that specific rsync command line.

EDIT: sending auth data over ssh to get root (eg. ssh as user, sudo with user password) is not better than doing ssh directly to the root user (via public key or via a good password), IMHO.

Answer 3

You can also use rsync daemon. Beware though, the way I described it there, makes it possible to access the module name by anyone on the machine running rsync daemon.

I haven't looked into it very deeply, but I wasn't able to create a secure public key based (and therefore passwordless) setup this way. But, there may be.