Assume two sites A and B with file server at either end. The contents of /storage should be synchronized between the sites, preserving ownership and permissions. There's no all encompassing group that group-owns all of the files in /storage. If running Unison or rsync pid=0 it is trivial to do the synchronization. However SSH is to be used as transport and for obvious reasons SSH root login has been disabled on both ends.
How can I keep A and B synchronized with all permissions preserved in that situation. Two methods I can think of:
- Running a secondary SSH that permits root logins yet may only connect over a VPN between A and B.
- adding a special synchronization user which sshd configuration forcibly executes a
- SUID wrapper to Unison or rsync (dangerous to get right).
sudowrapper to Unison or rsync
The answers given to the Question Remotely use root over ssh for unison suggest enabling password-less pubkey root login over SSH – I'm not very keen of that solution.
Any other ideas?
The public key root login over SSH is likely your best bet. You could furthermore restrict this access to a single host:
Or even use the
Matchdirective to get a unique configuration for a given something (address, user, etc):How to run remote unison instance as root:
Remote side
don't touch your sshd config, especially don't create any special synchronization [ssh] user as you state in your question
create sudo wrapper
vi sunison:(yes, this is for Termux environment, simplify to your needs)
Client side
-servercmd sunisonservercmd = sunisonNotes
servercmd = sudo unisonwould be best, but it didn't work for me