rsync with sudo rights

There is a task-to synchronize the contents of the /home/* folder between two servers.
The command looks like this:

rsync --archive --acls --xattrs --one-file-system -e "ssh -T -c arcfour -o Compression=no -x" --exclude=".*" --size-only --log-file=/home/backup/rsync.log remote@server_dns.ru:/home/* /home/backup/

The backup server goes to the remote server via ssh-key under the backup user.
But, on a remote server in the /home/* folder, there are many users who may have different rights to read their files and these files do not belong to the user or the backup group, respectively.
How to perform rsync with the sudo command on this server, so that you can copy files regardless of their owner and rights.

As an option, I tried to add all users to the backup group and changed all the files ' rights to be read by the group. But this needs to be constantly monitored and looks like a crutch.

Author: Kislik, 2016-08-15
Source

2 answers

You can use the --rsync-path option with the value "sudo rsync" (having previously allowed on the remote machine to the user under whose name we are connecting, to perform sudo rsync without entering a password).

According to man rsync:

--rsync-path=PROGRAM
Use this to specify what program is to be run on the remote machine to start-up rsync.

Free translation:

Use to specify the program to be executed on remote computer to run rsync.

Example:

  1. On a remote computer, we create a file and make it unreadable for everyone:

    $ touch /tmp/file; chmod ugo= /tmp/file

  2. On the local machine, we try to copy it (on behalf of an ordinary user user) and get an error:

    $ rsync user@host:/tmp/file /tmp
rsync: send_files failed to open "/tmp/file": Permission denied (13)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1536) [generator=3.0.9]

  3. And now let's use the described option (by first allowing on a remote machine, the user user to perform sudo rsync without enter the password) - and the copy will be successful: 

    $ rsync --rsync-path="sudo rsync" user@host:/tmp/file /tmp
 2
Author: aleksandr barakin, 2017-04-13 12:53:26

You can sew the password sudo into the body of the script that makes the backup:

--rsync-path="echo <PASSWORD> | sudo -Sv && sudo rsync"

Full command:

rsync --rsync-path="echo <PASSWORD> | sudo -Sv && sudo rsync" --archive --acls --xattrs --one-file-system -e "ssh -T -c arcfour -o Compression=no -x" --exclude=".*" --size-only --log-file=/home/backup/rsync.log  remote@server_dns.ru:/home/* /home/backup/

This approach is not completely secure, since the password is visible in the process tree. It is better to replace it with a construction like: --rsync-path="cat /path/to/my_password.txt | sudo -Sv && sudo rsync" , where my_password.txt is copied to the server before removing the backup and then deleted (it is better to delete with the command shred)

 0
Author: Bulat, 2018-08-29 07:02:17