Root, sudo, and rsnapshot

Introduction

The Mission:

To rsync and/or rsnapshot both normal and protected/restricted files from one
server to another over ssh without enabling remote root access to either
server while maintaining original file attributes and permissions. Whew.

Cast of Characters

• uno: the server which will store the backups, run rsync or
  rsnapshot.
• zero: the server to be backed up, with root readable files (/etc for
  example).

Prerequisites

• root on both uno and zero, hopefully via sudo and not by remote
  root ssh access!

Configuration

The command examples here are specific to Debian (and therefore Ubuntu), so
adjust to your distribution accordingly (though little if any adjustment should
be necessary).

Server: uno (backup server)

Create new backup user, lets call it rbackup:

$ sudo adduser rbackup 

Login as rbackup, create an ssh key pair:

$ su rbackup $ ssh-keygen -t rsa 

If you are running sshd on a non-standard port (like I am), as user rbackup
create a file named config in ~/.ssh. In this file, enter the host and port:

Host zero Port 12345 

While still user rbackup, copy the public key id_rsa.pub somewhere publicly
accessible.

As your regular user (which already has ssh access to zero), send rbackup’s
public key from uno to zero:

$ scp /home/rbackup/id_rsa.pub zero:~/ 

Become root, sudo -i. If it doesn’t exists, make root’s ssh directory, set
the correct permissions, create a ssh config file:

# mkdir .ssh # chmod 700 .ssh # cd .ssh # vim config 

In root’s .ssh/config file:

Host zero-rsync Port 12345 Hostname zero User rbackup IdentityFile /home/rbackup/.ssh/id_rsa 

Save the file, set permissions:

# chmod 600 config 

Server: zero (server to be backed up)

Create new backup user, lets call it rbackup:

$ sudo adduser rbackup 

Make uno’s public key id_rsa.pub available to user rbackup.

Login as rbackup, create a .ssh directory, set permissions, create an
authorized_keys file:

$ su rbackup $ cd $ mkdir .ssh $ chmod 700 .ssh $ cd .ssh $ cat /home/regularuser/id_rsa.pub > authorized_keys $ chmod 600 authorized_keys 

Now we want to limit the use of this authorized key by allowing connections
only from uno, and allowing one command only. Edit the key, and add something
like this to the beginning of the key:

from="192.168.100.123",command="/home/rbackup/validate-rsync.sh" ssh-rsa AX ...remainder of key...rbackup@uno 

While still user rbackup, create a script named validate_rsync.sh in your
home directory:

$ cd $ vim validate_rsync.sh 

Contents of validate_rsync.sh:

#!/bin/sh case "$SSH_ORIGINAL_COMMAND" in *\&*) echo "Connection closed" ;; *\;*) echo "Connection closed" ;; rsync*) $SSH_ORIGINAL_COMMAND ;; *true*) echo $SSH_ORIGINAL_COMMAND ;; *) echo "Connection closed." ;; esac 

As your regular user (which can sudo):

$ sudo visudo 

Add this line to the bottom:

rbackup ALL=NOPASSWD:/usr/bin/rsync 

If you have the AllowUsers directive set for sshd in /etc/ssh/sshd_config,
make sure to add the user rbackup to the list, and restart sshd.

As root or with sudo, create a simple rsync wrapper, named rsync_wrapper.sh at /usr/local/bin,
containing:

#!/bin/sh /usr/bin/sudo /usr/bin/rsync "$@"; 

Testing

Test 1

Become user rbackup on uno, attempt ssh to zero:

$ ssh zero 

Expected response:

Connection closed. Connection to zero closed. 

The “Connection closed.” with the period at the end tells us the
validate_rsync.sh worked as expected (echoing the last Connection closed).

Test 2

Become root on uno, attempt to ssh to zero-rsync (the alias set in root’s
.ssh/config):

# ssh zero-rsync 

Expected response:

Connection closed. Connection to zero closed. 

Test 3

Become root on uno, attempt to rsync something on zero that is restricted:

# rsync -ae ssh --rsync-path='rsync_wrapper.sh' zero-rsync:/etc /home/regularuser/tmp/ 

Expected response: you should have a copy of zero’s /etc directory in
regular users tmp directory (or wherever). Important things to note in the above
command – the –rsync-path switch and using zero-rsync as the host instead of
just zero.

Using rsnapshot

If the above tests all work, setting up rsnapshot is easy. Check
any other guide for general setup info, the relevant stuff for us to use in our
rsnapshot.conf is:

rsync_long_args --rsync-path=rsync_wrapper.sh --delete --numeric-ids --relative --delete-excluded backup rbackup@zero-rsync:/etc zero/ 

Remember the rsnapshot.conf file needs tabs. The rsync_long_args setting is
rsnapshot’s default rsync arguments, with our --rsync-path=rsync_wrapper.sh
added. The backup command has our backup user (rbackup) and the host alias
set in root@uno’s .ssh/config.

Extra sshd_config parameters

AuthorizedKeysFile .ssh/authorized_keys2

References

This was pieced together from various notes, blogs, and articles.
Some script source and extra-helpful information was found at:

• alien.slackbook.org/dokuwiki/doku.php?id=linux:rsnapshot
• troy.jdmz.net/rsnapshot/
• www.cyberciti.biz/faq/linux-rsnapshot-backup-howto/
• serverfault.com/questions/136549/rsync-over-ssh-with-root-access-on-both-sides
• http://technokracy.net/2011/01/07/root_sudo_rsnapshot/