Thank you, HTH, for your effort! Your setup is absolutely reasonable – as long as you are on a trusted (local) network and don’t need encrypted transport.
Apart from that, the setup with rrsync would be much less complicated – if it worked … Am 10.02.21 um 17:10 schrieb G.W. Haywood via BackupPC-users: > Hi there, > > On Wed, 10 Feb 2021, Felix Wolters wrote: > >> I'd like to use it with restricted access to the client ... > > If I understand you correctly there's no need for complications, you > can do that with plain vanilla rsyncd. It's what I do on my machines. > Forbidding ssh access further reduces the attackable surface. > > 1. Set up an rsyncd daemon on the client which listens for connections > from rsync on the backup server. Configuration like this for example: > > 8<---------------------------------------------------------------------- > ... > [Config] > path=/etc > auth users=whatever > secrets file=/etc/rsyncd.auth > > [Homes] > path=/home > auth users=whatever > secrets file=/etc/rsyncd.auth > ... > 8<---------------------------------------------------------------------- > > The [words] in square brackets are what rsyncd knows as 'modules'. > Any module is read-only by default, so, even if it can connect to the > client's rsyncd daemon, the backup server can't write to anything in > those directories. You forbid access to anything else. The file > named in the 'secrets file' line contains just a single line with the > username 'whatever' (with no quotes), a colon, and the password for > that user. The user's password also appears in the Perl variable > $Conf{RsyncdPasswd} in the config fragment (usually in the file called > /.../BackupPC/pc/client.pl) on the backup server. The user can be one > which you create purely for backup purposes, and probably should be. > > 2. Set up 'rsyncd' transfers on the backup server like this, in the > file /.../BackupPC/pc/client.pl. Obviously any other special config > for the client goes in there too. > > 8<---------------------------------------------------------------------- > $Conf{XferMethod} = 'rsyncd'; > $Conf{RsyncShareName} = > ['Config','Homes','usr_local_sbin','site_perl','usr_share_perl5_email']; > $Conf{RsyncdUserName} = 'whatever'; > $Conf{RsyncdPasswd} = 'redacted'; > 8<---------------------------------------------------------------------- > > 3. (Optional) > > Instead of running the rsyncd daemon on the client 24/7 you can run it > via one of the super-servers, inetd or xinetd. Nowadays I tend to use > xinetd but that's up to you. The configurations are very different > for inetd and xinetd. Using a super-server like this lets you further > restrict connections as you'll see below in the 'only_from' line: > > 8<---------------------------------------------------------------------- > client:~ cat /etc/xinetd.d/rsyncd > ... > service rsync > { > flags = REUSE > socket_type = stream > port = 873 > wait = no > user = root > group = root > server = /usr/bin/rsync > server_args = --daemon > log_on_failure += USERID > disable = no > only_from = 127.0.0.1 192.168.1.5 192.168.1.47 > 192.168.1.246 > } > 8<---------------------------------------------------------------------- > > If you run a super-server, don't forget that you'll need to restart it > after making any change to its configuration. > > I've used this setup for quite a few years with no issues. > > HTH > _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/