I am using rsync --rsh "ssh" to push to a mirror. Setting the necessary file system permissions on the mirror requires rsync to run with root privileges on the mirror. However, the mirrored files are under a single hierarchy and I would like to allow rsync to access only that hierarchy and nothing else on the mirror.
How would I allow rsync to set permissions while also limiting access?
Is there possibly some combination of rsync --rsh "???" and the command="???" option in authorized_keys that might do the trick? The rsync command is already using a dedicated key in authorized_keys.
Or is there a way for rsync to connect as an unprivileged user, be jailed, and then gain access to set file system permissions? Jailing the process is easy, but allowing the remote rsync to gain privileges seems difficult, and allowing a jailed process to gain any permissions seems risky. (Of course, right now the process has root and any degree of restriction would be an improvement, even if only to mitigate accidents.)
To rsync a remote location to a local location:
To rsync a local location to a remote location:
From the manpage (http://linux.die.net/man/1/rsync):
To get rsync to work without prompting for a password, you'll need to configure a trust between the source and destination servers by generating rsa-keys and entering them into their respective authorized keys. Here's a good tutorial:
http://troy.jdmz.net/rsync/index.html
You should be running
rsyncfrom your mirror with your original as the source.Depending on your use case you should either run it as a
cronjob(periodic) or ansshkeycommand (push initiated pull, effectively a push).The solution in my particular case is to use
rsync --rsh "ssh"to connect as the user who should own the files being mirrored and to use the ssh configuration to chroot that user to the proper hierarchy.Recipe something like this, on destination server:
Finally, from remote system, as unprivileged user, push data to mirror: