Thank you, HTH, for your effort! Your setup is absolutely reasonable –
as long as you are on a trusted (local) network and don’t need encrypted
transport.
Apart from that, the setup with rrsync would be much less complicated –
if it worked …
Am 10.02.21 um 17:10 schrieb G.W. Haywood via BackupPC-users:
> Hi there,
>
> On Wed, 10 Feb 2021, Felix Wolters wrote:
>
>> I'd like to use it with restricted access to the client ...
>
> If I understand you correctly there's no need for complications, you
> can do that with plain vanilla rsyncd. It's what I do on my machines.
> Forbidding ssh access further reduces the attackable surface.
>
> 1. Set up an rsyncd daemon on the client which listens for connections
> from rsync on the backup server. Configuration like this for example:
>
> 8<----------------------------------------------------------------------
> ...
> [Config]
> path=/etc
> auth users=whatever
> secrets file=/etc/rsyncd.auth
>
> [Homes]
> path=/home
> auth users=whatever
> secrets file=/etc/rsyncd.auth
> ...
> 8<----------------------------------------------------------------------
>
> The [words] in square brackets are what rsyncd knows as 'modules'.
> Any module is read-only by default, so, even if it can connect to the
> client's rsyncd daemon, the backup server can't write to anything in
> those directories. You forbid access to anything else. The file
> named in the 'secrets file' line contains just a single line with the
> username 'whatever' (with no quotes), a colon, and the password for
> that user. The user's password also appears in the Perl variable
> $Conf{RsyncdPasswd} in the config fragment (usually in the file called
> /.../BackupPC/pc/client.pl) on the backup server. The user can be one
> which you create purely for backup purposes, and probably should be.
>
> 2. Set up 'rsyncd' transfers on the backup server like this, in the
> file /.../BackupPC/pc/client.pl. Obviously any other special config
> for the client goes in there too.
>
> 8<----------------------------------------------------------------------
> $Conf{XferMethod} = 'rsyncd';
> $Conf{RsyncShareName} =
> ['Config','Homes','usr_local_sbin','site_perl','usr_share_perl5_email'];
> $Conf{RsyncdUserName} = 'whatever';
> $Conf{RsyncdPasswd} = 'redacted';
> 8<----------------------------------------------------------------------
>
> 3. (Optional)
>
> Instead of running the rsyncd daemon on the client 24/7 you can run it
> via one of the super-servers, inetd or xinetd. Nowadays I tend to use
> xinetd but that's up to you. The configurations are very different
> for inetd and xinetd. Using a super-server like this lets you further
> restrict connections as you'll see below in the 'only_from' line:
>
> 8<----------------------------------------------------------------------
> client:~ cat /etc/xinetd.d/rsyncd
> ...
> service rsync
> {
> flags = REUSE
> socket_type = stream
> port = 873
> wait = no
> user = root
> group = root
> server = /usr/bin/rsync
> server_args = --daemon
> log_on_failure += USERID
> disable = no
> only_from = 127.0.0.1 192.168.1.5 192.168.1.47
> 192.168.1.246
> }
> 8<----------------------------------------------------------------------
>
> If you run a super-server, don't forget that you'll need to restart it
> after making any change to its configuration.
>
> I've used this setup for quite a few years with no issues.
>
> HTH
>
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: https://github.com/backuppc/backuppc/wiki
Project: https://backuppc.github.io/backuppc/
