I have a need to copy files between servers through the web. I'm using RSYNC over ssh to do so. The problem is, I need to be able to transfer files, no matter where the files is.
I created a user rsync and : usermod -G root -a rsync to give him the right to read/write anywhere on both servers.
During the transfer, I see this error:
rsync: mkstemp "/root/.myFile.RDr2HY" failed: Permission denied (13)
I don't understand what's happening.
edit: I just found out that the destination folder didn't have the write access for the root group. How would I give 100% access to this rsync user ? If I change its uid to 0, rsync stop working.
What you've done,
usermod -G root -a rsync, is to add thersyncuser to the root group. This has no effect whatsoever on most systems, because the root group is not special. There are systems where being in the root group is necessary to escalate privileges to the root user, but it is never sufficient (the root group is the group of users who may usesudo, or some equivalent setup).In terms of security, giving a user the permission to write files anywhere is exactly equivalent to giving that user root powers. (The user can overwrite
/bin/su, or/etc/passwd, or/usr/sbin/sshd, or any number of other programs and databases that would let her set up a backdoor for herself.)If you need to access arbitrary files over ssh, allow ssh logins as root. Not with a password (or else a long, randomly generated one), just with a key (which you'll need to protect carefully, of course). In
/etc/sshd_config, putAnother way of allowing arbitrary file access would be to grant your rsync user the appropriate permissions via POSIX ACLs on your filesystem(s). I wrote up a quick summary of inherited ACLs here.
If your requirement to allow the user to write to any file at all is accurate, then there may be bigger security concerns, and it may be more prudent to do as others suggest and just allow root logins - keeping the setup simple will save you time in future.
However I strongly suspect that you don't, in fact, require the ability to put files anywhere at all on the system. If that's the case, and you actually just need to be able to put them in some number of arbitrary places, then POSIX ACLs may help you out.
If you really do need to be able to overwrite, for example, /etc/passwd via this mechanism, then you should consider a different approach. If you're pushing out configuration changes including accounts, you'll have a better time of it if you use a configuration management system like puppet or cfengine. These will let you specify configuration changes which are then pushed out to the remote system.