2

I'm currently trying to figure out backing up using rsync - and I've run into a little hitch. I've disabled root access via SSH for security reasons, and have to use my special user account (without sudo permissions) whenever I SSH in to do admin bits. I then use "su -" to get full root access when I'm SSHd so that I can have full root access and can do all the special admin bits. I used to use the following for backing up from my local machine:

sudo rsync -rav root@MyServerIP:/ BackupFolder/

However with my new security measures in place (not being able to SSH with root), I cannot use this. And since my special user account doesn't have sudo permissions - I can't use him to rsync either.

How can I run the command I've written above, after a "su -" or some other trick to make it have the permissions to do this? (I can input the root password to get root access - however root cannot be logged in directly from SSH)

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • You are backing up to local machine, right.? why don't you consider using ssh-key for root rather than pass + su ? – SparX Sep 26 '11 at 19:15
  • It seems surprising that su would be allowed but sudo would not. Interesting. – mdpc Sep 26 '11 at 19:25
  • 1
    actually you setup passwordless key authentication for root itself and use root when doing rsync. – SparX Sep 26 '11 at 19:57
  • Right - but can I do this while disabling root SSH via password? –  Sep 26 '11 at 20:20
  • Ofcourse, yes. You need to set "PermitRootLogin without-password" which will only allow root login using appropriate ssh-key. All password authentication requests will be denied for user root. – SparX Sep 26 '11 at 23:01

4 Answers4

2

Your backup jobs should be configured as "push" jobs rather than "pull". Initiate the backup job via root's cron on your server, and have it rsync its files to the backup destination.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • But even with the IP of my Mac Mini, how can I tell my Mac Mini to accept the files that the server is sending to it? –  Sep 26 '11 at 19:14
  • Configure port forwarding on your router. – EEAA Sep 26 '11 at 19:14
  • Would it be this simple? What ports would I need to forward? –  Sep 26 '11 at 19:32
  • 1
    You'd need to forward whatever port ssh is listening on, probably `22/tcp`. There are some security ramifications of doing this, though, and you sound like you're already out of your depth, so be careful, and make sure you do your homework before making this change. – EEAA Sep 26 '11 at 19:54
  • Right - so it's probably best I don't do this in interests of my security. Is there any easy way to tar.gz up everything while on the server (as root thanks to "su -")? Then I could just chmod the tar.gz to be accessible by my special user and then to rsync over the tar.gz –  Sep 26 '11 at 20:01
  • No, you can do it - it's not all the difficult to get set up in a secure fashion. You just need to do your homework first. – EEAA Sep 26 '11 at 20:05
  • I'd prefer not to though as I don't feel keeping my ports open is a good solution - are there any other easy ways to accomplish what I'm looking for? –  Sep 26 '11 at 20:20
  • added as requested :) – SparX Sep 27 '11 at 18:03
1

You could run an rsync server on the other computer. You can specify permitted users.

RedGrittyBrick
  • 3,832
  • 1
  • 17
  • 23
1

Suggested to use ssh-key authentication with rsync, after setting "PermitRootLogin without-password" in the ssh configuration to allow root access only via key authentication.

Just adding as the answer since you requested:)

SparX
  • 1,924
  • 12
  • 10
0

You can execute sudo on the remote host using the --rsync-path option. Something like this:

rsync -rav --rsync-path='sudo rsync' root@MyServerIP:/ BackupFolder/

Essentially, this causes rsync on the remote box to run as root.

jdw
  • 3,855
  • 2
  • 17
  • 21
  • This would work if my special account had admin privileges - however it has not (I need to use "su -" on it to become root to do anything). –  Sep 27 '11 at 06:09