Hi there, On Wed, 10 Feb 2021, Felix Wolters wrote:
I'd like to use it with restricted access to the client ...
If I understand you correctly there's no need for complications, you can do that with plain vanilla rsyncd. It's what I do on my machines. Forbidding ssh access further reduces the attackable surface. 1. Set up an rsyncd daemon on the client which listens for connections from rsync on the backup server. Configuration like this for example: 8<---------------------------------------------------------------------- ... [Config] path=/etc auth users=whatever secrets file=/etc/rsyncd.auth [Homes] path=/home auth users=whatever secrets file=/etc/rsyncd.auth ... 8<---------------------------------------------------------------------- The [words] in square brackets are what rsyncd knows as 'modules'. Any module is read-only by default, so, even if it can connect to the client's rsyncd daemon, the backup server can't write to anything in those directories. You forbid access to anything else. The file named in the 'secrets file' line contains just a single line with the username 'whatever' (with no quotes), a colon, and the password for that user. The user's password also appears in the Perl variable $Conf{RsyncdPasswd} in the config fragment (usually in the file called /.../BackupPC/pc/client.pl) on the backup server. The user can be one which you create purely for backup purposes, and probably should be. 2. Set up 'rsyncd' transfers on the backup server like this, in the file /.../BackupPC/pc/client.pl. Obviously any other special config for the client goes in there too. 8<---------------------------------------------------------------------- $Conf{XferMethod} = 'rsyncd'; $Conf{RsyncShareName} = ['Config','Homes','usr_local_sbin','site_perl','usr_share_perl5_email']; $Conf{RsyncdUserName} = 'whatever'; $Conf{RsyncdPasswd} = 'redacted'; 8<---------------------------------------------------------------------- 3. (Optional) Instead of running the rsyncd daemon on the client 24/7 you can run it via one of the super-servers, inetd or xinetd. Nowadays I tend to use xinetd but that's up to you. The configurations are very different for inetd and xinetd. Using a super-server like this lets you further restrict connections as you'll see below in the 'only_from' line: 8<---------------------------------------------------------------------- client:~ cat /etc/xinetd.d/rsyncd ... service rsync { flags = REUSE socket_type = stream port = 873 wait = no user = root group = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID disable = no only_from = 127.0.0.1 192.168.1.5 192.168.1.47 192.168.1.246 } 8<---------------------------------------------------------------------- If you run a super-server, don't forget that you'll need to restart it after making any change to its configuration. I've used this setup for quite a few years with no issues. HTH -- 73, Ged. _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/