Greg, Yupp, that’s the principle, especially refer to the paragraph https://dev-notes.eu/2016/08/secure-rsync-between-servers/#limit-actions-for-this-ssh-connection-to-restricted-rsync
I can recommend it so far. I may add, that working with a non-privieged user isn’t even necessary in many cases, as rrsync is able to restrict access to (1.) a specific command (if need be with specific options), (2.) a specific folder, and (3.) to read only access – but offer full root access and allowing rsync -a to keep users, groups and permissions. That makes it powerful. The problem here just seems to be that rrsync (on the client to back up) and rsync-bpc are not compatible, and a patched rrsync will – hopefully! – be the solution. Am 10.02.21 um 17:35 schrieb Greg Harris: > Felix, > > I’m trying to follow along and learn a bit here. Is this the concept > you working towards: > > https://dev-notes.eu/2016/08/secure-rsync-between-servers/ > > Thanks, > > Greg Harris > >> On Feb 10, 2021, at 11:24 AM, Felix Wolters <li...@felix-wolters.com> >> wrote: >> >> Thank you, HTH, for your effort! Your setup is absolutely reasonable – >> as long as you are on a trusted (local) network and don’t need encrypted >> transport. >> >> Apart from that, the setup with rrsync would be much less complicated – >> if it worked … >> >> >> Am 10.02.21 um 17:10 schrieb G.W. Haywood via BackupPC-users: >>> Hi there, >>> >>> On Wed, 10 Feb 2021, Felix Wolters wrote: >>> >>>> I'd like to use it with restricted access to the client ... >>> >>> If I understand you correctly there's no need for complications, you >>> can do that with plain vanilla rsyncd. It's what I do on my machines. >>> Forbidding ssh access further reduces the attackable surface. >>> >>> 1. Set up an rsyncd daemon on the client which listens for connections >>> from rsync on the backup server. Configuration like this for example: >>> >>> 8<---------------------------------------------------------------------- >>> ... >>> [Config] >>> path=/etc >>> auth users=whatever >>> secrets file=/etc/rsyncd.auth >>> >>> [Homes] >>> path=/home >>> auth users=whatever >>> secrets file=/etc/rsyncd.auth >>> ... >>> 8<---------------------------------------------------------------------- >>> >>> The [words] in square brackets are what rsyncd knows as 'modules'. >>> Any module is read-only by default, so, even if it can connect to the >>> client's rsyncd daemon, the backup server can't write to anything in >>> those directories. You forbid access to anything else. The file >>> named in the 'secrets file' line contains just a single line with the >>> username 'whatever' (with no quotes), a colon, and the password for >>> that user. The user's password also appears in the Perl variable >>> $Conf{RsyncdPasswd} in the config fragment (usually in the file called >>> /.../BackupPC/pc/client.pl) on the backup server. The user can be one >>> which you create purely for backup purposes, and probably should be. >>> >>> 2. Set up 'rsyncd' transfers on the backup server like this, in the >>> file /.../BackupPC/pc/client.pl. Obviously any other special config >>> for the client goes in there too. >>> >>> 8<---------------------------------------------------------------------- >>> $Conf{XferMethod} = 'rsyncd'; >>> $Conf{RsyncShareName} = >>> ['Config','Homes','usr_local_sbin','site_perl','usr_share_perl5_email']; >>> $Conf{RsyncdUserName} = 'whatever'; >>> $Conf{RsyncdPasswd} = 'redacted'; >>> 8<---------------------------------------------------------------------- >>> >>> 3. (Optional) >>> >>> Instead of running the rsyncd daemon on the client 24/7 you can run it >>> via one of the super-servers, inetd or xinetd. Nowadays I tend to use >>> xinetd but that's up to you. The configurations are very different >>> for inetd and xinetd. Using a super-server like this lets you further >>> restrict connections as you'll see below in the 'only_from' line: >>> >>> 8<---------------------------------------------------------------------- >>> client:~ cat /etc/xinetd.d/rsyncd >>> ... >>> service rsync >>> { >>> flags = REUSE >>> socket_type = stream >>> port = 873 >>> wait = no >>> user = root >>> group = root >>> server = /usr/bin/rsync >>> server_args = --daemon >>> log_on_failure += USERID >>> disable = no >>> only_from = 127.0.0.1 192.168.1.5 192.168.1.47 >>> 192.168.1.246 >>> } >>> 8<---------------------------------------------------------------------- >>> >>> If you run a super-server, don't forget that you'll need to restart it >>> after making any change to its configuration. >>> >>> I've used this setup for quite a few years with no issues. >>> >>> HTH >>> >> >> >> _______________________________________________ >> BackupPC-users mailing list >> BackupPC-users@lists.sourceforge.net >> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users >> Wiki: https://github.com/backuppc/backuppc/wiki >> Project: https://backuppc.github.io/backuppc/ > > > > _______________________________________________ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List: https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki: https://github.com/backuppc/backuppc/wiki > Project: https://backuppc.github.io/backuppc/
_______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
