rsync with sudo rights
There is a task-to synchronize the contents of the /home/* folder between two servers.
The command looks like this:
rsync --archive --acls --xattrs --one-file-system -e "ssh -T -c arcfour -o Compression=no -x" --exclude=".*" --size-only --log-file=/home/backup/rsync.log remote@server_dns.ru:/home/* /home/backup/
The backup server goes to the remote server via ssh-key under the backup user.
But, on a remote server in the /home/* folder, there are many users who may have different rights to read their files and these files do not belong to the user or the backup group, respectively.
How to perform rsync with the sudo command on this server, so that you can copy files regardless of their owner and rights.
As an option, I tried to add all users to the backup group and changed all the files ' rights to be read by the group. But this needs to be constantly monitored and looks like a crutch.
2 answers
You can use the --rsync-path
option with the value "sudo rsync"
(having previously allowed on the remote machine to the user under whose name we are connecting, to perform sudo rsync
without entering a password).
According to man rsync
:
--rsync-path=PROGRAM
Use this to specify what program is to be run on the remote machine to start-up rsync.
Free translation:
Use to specify the program to be executed on remote computer to run rsync.
Example:
-
On a remote computer, we create a file and make it unreadable for everyone:
$ touch /tmp/file; chmod ugo= /tmp/file
-
On the local machine, we try to copy it (on behalf of an ordinary user
user
) and get an error:$ rsync user@host:/tmp/file /tmp rsync: send_files failed to open "/tmp/file": Permission denied (13) rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1536) [generator=3.0.9]
-
And now let's use the described option (by first allowing on a remote machine, the user
user
to performsudo rsync
without enter the password) - and the copy will be successful:$ rsync --rsync-path="sudo rsync" user@host:/tmp/file /tmp
You can sew the password sudo
into the body of the script that makes the backup:
--rsync-path="echo <PASSWORD> | sudo -Sv && sudo rsync"
Full command:
rsync --rsync-path="echo <PASSWORD> | sudo -Sv && sudo rsync" --archive --acls --xattrs --one-file-system -e "ssh -T -c arcfour -o Compression=no -x" --exclude=".*" --size-only --log-file=/home/backup/rsync.log remote@server_dns.ru:/home/* /home/backup/
This approach is not completely secure, since the password is visible in the process tree. It is better to replace it with a construction like:
--rsync-path="cat /path/to/my_password.txt | sudo -Sv && sudo rsync"
, where my_password.txt
is copied to the server before removing the backup and then deleted (it is better to delete with the command shred
)