Mario Ohnewald
I have two boxes and want to save a backup of each others on it. So far i have created a ssh key for both machines so i can make a ssh rsync to each other. But the terrible sideeffect is that IF one of those boxed get compromized the cracker will be root on both of them!!!
[...]
Any ideas/hints?
As far as I understand, you need to - run rsync as root on the source machine (to access all files) - connect to the target machine non-interactive with ssh - run rsync as root on the target machine (to avoid loosing permissions) It should be possible to create a script running rsync as root on the source machine. rsync should connect via ssh to the target machine as an especially created user (on the target machine) using public key auth. On the target machine the special user should only be allowed to log-in with the designated ssh key (passwd -l et al.), should preferrably be chroot-ed and should have an ~/.ssh/authorized_keys file where the ssh command feature is used, i.e. connecting using the specified key will result in executing the specified command ... always. Other limitations for the key (from IP, no forwarding et al.) should be applied, too. Next, you need to find out which command is required by rsync on the receiving side (target host); $SSH_ORIGINAL_COMMAND might help here (google for it). So far, connecting to target host is only possible using the ssh key you created (without passphrase that is) and will always result in rsync doing it's target side magic. However, since rsync does not run as root on the target machine you will still loose permissions. To circumvent this, you could record all permissions to a file (best within your backup script) and sync this one along with all the other data. Of course you will have to create another script that will restore permissions in case that you use backed up files from the target machine on the source machine again. Alternativly, you could use sudo on the target machine to allow the special account to run rsync as root (and only that). However, chroot-ing the special account on the target machine is problematic then, since you need sudo inside your cage which is SUID 0. Note, that I haven't tested such a setup. Hope that helps, Ulf