Restrict rsync over ssh read only / only copy from remote host Unicorn Meta Zoo #1: Why...
Does a Draconic Bloodline sorcerer's doubled proficiency bonus for Charisma checks against dragons apply to all dragon types or only the chosen one?
`FindRoot [ ]`::jsing: Encountered a singular Jacobian at a point...WHY
Is Bran literally the world's memory?
Was there ever a LEGO store in Miami International Airport?
Why did Europeans not widely domesticate foxes?
Why I cannot instantiate a class whose constructor is private in a friend class?
What is /etc/mtab in Linux?
What is a 'Key' in computer science?
What do you call an IPA symbol that lacks a name (e.g. ɲ)?
How do I deal with an erroneously large refund?
false 'Security alert' from Google - every login generates mails from 'no-reply@accounts.google.com'
When I export an AI 300x60 art board it saves with bigger dimensions
What is the ongoing value of the Kanban board to the developers as opposed to management
Are there existing rules/lore for MTG planeswalkers?
Why is arima in R one time step off?
Coin Game with infinite paradox
How was Lagrange appointed professor of mathematics so early?
Does using the Inspiration rules for character defects encourage My Guy Syndrome?
How long can a nation maintain a technological edge over the rest of the world?
France's Public Holidays' Puzzle
What is the evidence that custom checks in Northern Ireland are going to result in violence?
Philosophers who were composers?
Does Prince Arnaud cause someone holding the Princess to lose?
Simulate round-robin tournament draw
Restrict rsync over ssh read only / only copy from remote host
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
Come Celebrate our 10 Year Anniversary!Can't get rsync to work in daemon-over-ssh modersync - Exclude files that are over a certain size?clone remote server in entirety to local vmware or virtualbox?RSync over SSH - permission denied even though the user is in the root groupRackspace cloud sites to local server backupRsync over ssh: “ERROR: module is read only” suddenly appearedUsing NFS mount script with grandfather father-son script but only getting 6 daily backups. I should also have 4 weekly and 2 monthly backupsIs this a reasonable way to setup backups for security? Can it be improved?rsync --iconv option on Mac not working (sync from remote Linux server to local Mac)Pulling Read restricted files from a remote system with rsync and sudo
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I want a backup host to be able to pull backups from a remote host.
The backup host uses ssh key authentication to authenticate as a restricted user on the remote host, this user is restricted to the rsync command using the authorized_key file.
/etc/sudoers allows the user to execute rsync as superuser.
The backup host should logically only be able to read files / copy files from the remote host, not write files / copy files to the remote host, as it could easily compromise the remote host by overwriting /etc/passwd or just tamper with the files if it were compromised itself.
How can I achieve this? I already read about rrsync, but didn't see an option which allowed this.
linux backup rsync
asked Mar 22 '16 at 9:06
ZulakisZulakis
2,00683460
add a comment |
I want a backup host to be able to pull backups from a remote host.
The backup host uses ssh key authentication to authenticate as a restricted user on the remote host, this user is restricted to the rsync command using the authorized_key file.
/etc/sudoers allows the user to execute rsync as superuser.
The backup host should logically only be able to read files / copy files from the remote host, not write files / copy files to the remote host, as it could easily compromise the remote host by overwriting /etc/passwd or just tamper with the files if it were compromised itself.
How can I achieve this? I already read about rrsync, but didn't see an option which allowed this.
linux backup rsync
asked Mar 22 '16 at 9:06
ZulakisZulakis
2,00683460
add a comment |
I want a backup host to be able to pull backups from a remote host.
The backup host uses ssh key authentication to authenticate as a restricted user on the remote host, this user is restricted to the rsync command using the authorized_key file.
/etc/sudoers allows the user to execute rsync as superuser.
The backup host should logically only be able to read files / copy files from the remote host, not write files / copy files to the remote host, as it could easily compromise the remote host by overwriting /etc/passwd or just tamper with the files if it were compromised itself.
How can I achieve this? I already read about rrsync, but didn't see an option which allowed this.
linux backup rsync
asked Mar 22 '16 at 9:06
ZulakisZulakis
2,00683460
I want a backup host to be able to pull backups from a remote host.
The backup host uses ssh key authentication to authenticate as a restricted user on the remote host, this user is restricted to the rsync command using the authorized_key file.
/etc/sudoers allows the user to execute rsync as superuser.
The backup host should logically only be able to read files / copy files from the remote host, not write files / copy files to the remote host, as it could easily compromise the remote host by overwriting /etc/passwd or just tamper with the files if it were compromised itself.
How can I achieve this? I already read about rrsync, but didn't see an option which allowed this.
linux backup rsync
linux backup rsync
asked Mar 22 '16 at 9:06
ZulakisZulakis
2,00683460
asked Mar 22 '16 at 9:06
ZulakisZulakis
2,00683460
asked Mar 22 '16 at 9:06
ZulakisZulakis
2,00683460
asked Mar 22 '16 at 9:06
ZulakisZulakis
2,00683460
asked Mar 22 '16 at 9:06
ZulakisZulakis
2,00683460
2,00683460
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
Have a look at authprogs - I was using it for a quite similar scenario (backuppc via ssh)
answered Mar 22 '16 at 10:21
HenrikHenrik
593416
add a comment |
The -ro flag of rrsync ensures that rsync is called with the --sender option, which should, according to the rrsync documentation, ensure that files can only be read - however, I could not find a authoritive source (aka rsync documentation) which confirms that. In my tests, it was sufficient to prevent writes to the server.
answered Mar 22 '16 at 11:27
ZulakisZulakis
2,00683460
add a comment |
This is close to necromancing, but still I found this question first and feel this is incomplete, because it relies on external programs.
So in pull mode, on the receiver's side, the read-only mode presupposes trust though. As a backup method above commands might work well as long as only the properly configured client requests the data. If you want to restrict what rsync over ssh can do one remote setting ro client side may not be enough.
If you have access to the server the data is being pulled from over SSH there is some simple extra configuration to be done to restrict what the logged in user can do. SSH, used with a public and a private key, offers this additional way of ensuring the client can call a specific command only.
This is how its done. On the server, where the data is being pulled from, there is a ~/.ssh/known_hosts file in user's home directory. The file holds one line per host that it knows the pubkey of, like this
ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
Prefix that with the command you wanat to allow
command="/bin/myscript.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
to have it such that user@host can only execute /bin/myscript.sh on remote.
A related question with good answers is over at the SO site.
answered Feb 14 at 16:22
raddaqiiraddaqii
11
add a comment |
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
Another way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 11 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f765252%2frestrict-rsync-over-ssh-read-only-only-copy-from-remote-host%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Have a look at authprogs - I was using it for a quite similar scenario (backuppc via ssh)
answered Mar 22 '16 at 10:21
HenrikHenrik
593416
add a comment |
Have a look at authprogs - I was using it for a quite similar scenario (backuppc via ssh)
answered Mar 22 '16 at 10:21
HenrikHenrik
593416
add a comment |
Have a look at authprogs - I was using it for a quite similar scenario (backuppc via ssh)
answered Mar 22 '16 at 10:21
HenrikHenrik
593416
Have a look at authprogs - I was using it for a quite similar scenario (backuppc via ssh)
answered Mar 22 '16 at 10:21
HenrikHenrik
593416
answered Mar 22 '16 at 10:21
HenrikHenrik
593416
answered Mar 22 '16 at 10:21
HenrikHenrik
593416
answered Mar 22 '16 at 10:21
HenrikHenrik
593416
593416
add a comment |
add a comment |
The -ro flag of rrsync ensures that rsync is called with the --sender option, which should, according to the rrsync documentation, ensure that files can only be read - however, I could not find a authoritive source (aka rsync documentation) which confirms that. In my tests, it was sufficient to prevent writes to the server.
answered Mar 22 '16 at 11:27
ZulakisZulakis
2,00683460
add a comment |
The -ro flag of rrsync ensures that rsync is called with the --sender option, which should, according to the rrsync documentation, ensure that files can only be read - however, I could not find a authoritive source (aka rsync documentation) which confirms that. In my tests, it was sufficient to prevent writes to the server.
answered Mar 22 '16 at 11:27
ZulakisZulakis
2,00683460
add a comment |
The -ro flag of rrsync ensures that rsync is called with the --sender option, which should, according to the rrsync documentation, ensure that files can only be read - however, I could not find a authoritive source (aka rsync documentation) which confirms that. In my tests, it was sufficient to prevent writes to the server.
answered Mar 22 '16 at 11:27
ZulakisZulakis
2,00683460
The -ro flag of rrsync ensures that rsync is called with the --sender option, which should, according to the rrsync documentation, ensure that files can only be read - however, I could not find a authoritive source (aka rsync documentation) which confirms that. In my tests, it was sufficient to prevent writes to the server.
answered Mar 22 '16 at 11:27
ZulakisZulakis
2,00683460
answered Mar 22 '16 at 11:27
ZulakisZulakis
2,00683460
answered Mar 22 '16 at 11:27
ZulakisZulakis
2,00683460
answered Mar 22 '16 at 11:27
ZulakisZulakis
2,00683460
2,00683460
add a comment |
add a comment |
This is close to necromancing, but still I found this question first and feel this is incomplete, because it relies on external programs.
So in pull mode, on the receiver's side, the read-only mode presupposes trust though. As a backup method above commands might work well as long as only the properly configured client requests the data. If you want to restrict what rsync over ssh can do one remote setting ro client side may not be enough.
If you have access to the server the data is being pulled from over SSH there is some simple extra configuration to be done to restrict what the logged in user can do. SSH, used with a public and a private key, offers this additional way of ensuring the client can call a specific command only.
This is how its done. On the server, where the data is being pulled from, there is a ~/.ssh/known_hosts file in user's home directory. The file holds one line per host that it knows the pubkey of, like this
ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
Prefix that with the command you wanat to allow
command="/bin/myscript.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
to have it such that user@host can only execute /bin/myscript.sh on remote.
A related question with good answers is over at the SO site.
answered Feb 14 at 16:22
raddaqiiraddaqii
11
add a comment |
This is close to necromancing, but still I found this question first and feel this is incomplete, because it relies on external programs.
So in pull mode, on the receiver's side, the read-only mode presupposes trust though. As a backup method above commands might work well as long as only the properly configured client requests the data. If you want to restrict what rsync over ssh can do one remote setting ro client side may not be enough.
If you have access to the server the data is being pulled from over SSH there is some simple extra configuration to be done to restrict what the logged in user can do. SSH, used with a public and a private key, offers this additional way of ensuring the client can call a specific command only.
This is how its done. On the server, where the data is being pulled from, there is a ~/.ssh/known_hosts file in user's home directory. The file holds one line per host that it knows the pubkey of, like this
ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
Prefix that with the command you wanat to allow
command="/bin/myscript.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
to have it such that user@host can only execute /bin/myscript.sh on remote.
A related question with good answers is over at the SO site.
answered Feb 14 at 16:22
raddaqiiraddaqii
11
add a comment |
This is close to necromancing, but still I found this question first and feel this is incomplete, because it relies on external programs.
So in pull mode, on the receiver's side, the read-only mode presupposes trust though. As a backup method above commands might work well as long as only the properly configured client requests the data. If you want to restrict what rsync over ssh can do one remote setting ro client side may not be enough.
If you have access to the server the data is being pulled from over SSH there is some simple extra configuration to be done to restrict what the logged in user can do. SSH, used with a public and a private key, offers this additional way of ensuring the client can call a specific command only.
This is how its done. On the server, where the data is being pulled from, there is a ~/.ssh/known_hosts file in user's home directory. The file holds one line per host that it knows the pubkey of, like this
ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
Prefix that with the command you wanat to allow
command="/bin/myscript.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
to have it such that user@host can only execute /bin/myscript.sh on remote.
A related question with good answers is over at the SO site.
answered Feb 14 at 16:22
raddaqiiraddaqii
11
This is close to necromancing, but still I found this question first and feel this is incomplete, because it relies on external programs.
So in pull mode, on the receiver's side, the read-only mode presupposes trust though. As a backup method above commands might work well as long as only the properly configured client requests the data. If you want to restrict what rsync over ssh can do one remote setting ro client side may not be enough.
If you have access to the server the data is being pulled from over SSH there is some simple extra configuration to be done to restrict what the logged in user can do. SSH, used with a public and a private key, offers this additional way of ensuring the client can call a specific command only.
This is how its done. On the server, where the data is being pulled from, there is a ~/.ssh/known_hosts file in user's home directory. The file holds one line per host that it knows the pubkey of, like this
ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
Prefix that with the command you wanat to allow
command="/bin/myscript.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
to have it such that user@host can only execute /bin/myscript.sh on remote.
A related question with good answers is over at the SO site.
answered Feb 14 at 16:22
raddaqiiraddaqii
11
answered Feb 14 at 16:22
raddaqiiraddaqii
11
answered Feb 14 at 16:22
raddaqiiraddaqii
11
answered Feb 14 at 16:22
raddaqiiraddaqii
11
11
add a comment |
add a comment |
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
Another way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 11 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
Another way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 11 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
Another way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 11 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
Another way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 11 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 11 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 11 mins ago
rafraf
1
answered 11 mins ago
rafraf
1
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f765252%2frestrict-rsync-over-ssh-read-only-only-copy-from-remote-host%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
