rsync as root without ssh as root

[Guillaume Dargaud]

Hello all,
I do my backups with rsync, but since I won't allow ssh root logins, I
always thought that I had to physically connect the disk to the PC.

Since I keep my backups offsite, I'd much rather also do the backup via ssh.

I recently saw an comment mentioning that it is possible for rsync to become
root without using a root login. But there were no details.

Can anybody fill me up on that ? Is it some ssh command with a sudo inside
or something ?

Thanks.
--
Guillaume Dargaud
http://www.gdargaud.net/

[Stachu 'Dozzie' K.]

On 2013-05-15, Guillaume Dargaud <use_the_co...@www.gdargaud.net> wrote:
> Hello all,
> I do my backups with rsync, but since I won't allow ssh root logins, I
> always thought that I had to physically connect the disk to the PC.
>
> Since I keep my backups offsite, I'd much rather also do the backup via ssh.

Why insist on SSH? Is SSL/TLS bad for you for some reason?

> I recently saw an comment mentioning that it is possible for rsync to become
> root without using a root login. But there were no details.
>
> Can anybody fill me up on that ? Is it some ssh command with a sudo inside
> or something ?

I don't know what was that about, but for sure you can set up rsync
wrapped with SSL, then you won't need to allow SSH for root user.
http://dozzie.jarowit.net/trac/wiki/RsyncSSL

--
Secunia non olet.
Stanislaw Klekot

[Guillaume Dargaud]

> Why insist on SSH? Is SSL/TLS bad for you for some reason?

Simply never thought about it... and never had to configure SSL before.

Sure, it secures the transport, but I don't really see how it helps with
files with root privileges.
Is something like that possible ? :
rsync -Cavz user@server:/ /Backup/

> I don't know what was that about, but for sure you can set up rsync
> wrapped with SSL, then you won't need to allow SSH for root user.
> http://dozzie.jarowit.net/trac/wiki/RsyncSSL

OK, so if I understand the very short explanation on that page, I should do
something like:
rsync -Cavz --rsh=/usr/bin/stunnel user@server:/Somedir /Backup/
I get:
Section stunnel: SSL server needs a certificate

But I have no idea what to do at this point.

[Stachu 'Dozzie' K.]

On 2013-05-15, Guillaume Dargaud <use_the_co...@www.gdargaud.net> wrote:

>> Why insist on SSH? Is SSL/TLS bad for you for some reason?
>
> Simply never thought about it... and never had to configure SSL before.
>
> Sure, it secures the transport, but I don't really see how it helps with
> files with root privileges.

If you need to write the files in a directory owned by root, you just
need the root privileges. What SSL does here is removing necessity of
enabling root to login with SSH.

>> I don't know what was that about, but for sure you can set up rsync
>> wrapped with SSL, then you won't need to allow SSH for root user.
>> http://dozzie.jarowit.net/trac/wiki/RsyncSSL
>
> OK, so if I understand the very short explanation on that page, I should do
> something like:
> rsync -Cavz --rsh=/usr/bin/stunnel user@server:/Somedir /Backup/
> I get:
> Section stunnel: SSL server needs a certificate
>
> But I have no idea what to do at this point.

Well then, you probably want to ask your system administrator to setup
these backups for you.

[Thomas 'PointedEars' Lahn]

Guillaume Dargaud wrote:

> But I have no idea what to do at this point.

Fix your From header field value so that it complies with RFC 5536.

Then RTFM.

--
PointedEars

Twitter: @PointedEars2
Please do not Cc: me. / Bitte keine Kopien per E-Mail.

[Kenny McCormack]

In article <9087031.I...@PointedEars.de>,

the always charming Thomas 'PointedEars' Lahn <use...@PointedEars.de> wrote:
>Guillaume Dargaud wrote:
>
>> But I have no idea what to do at this point.
>
>Fix your From header field value so that it complies with RFC 5536.
>
>Then RTFM.

And helpful and polite as always...

--
Given Bush and his insanely expensive wars (*), that we will be paying for
for generations to come, the only possible response a sensible person need
ever give, when a GOPer/TeaBagger says anything about "deficits", is a
polite snicker.

(*) Obvious money transfers between the taxpayers and Bush's moneyed
interests. Someday, we'll actually figure out a way to have a war where the
money just gets moved around and nobody (on either side) gets injured or
killed. That will be an accomplishment of which we will be justly proud.

[Thomas 'PointedEars' Lahn]

Kenny McCormack wrote:

> the always charming

My, thank you.

> Thomas 'PointedEars' Lahn wrote:
>> Guillaume Dargaud wrote:
>>> But I have no idea what to do at this point.
>>
>> Fix your From header field value so that it complies with RFC 5536.
>>
>> Then RTFM.
>
> And helpful and polite as always...

As always, I am as polite as I think the OP deserves, considering their
posting, and their efforts to solve their problem thus displayed.

Where is your polite and helpful answer?

[Icarus Sparry]

There are several things that you might be thinking of, it is hard to
know which one.

The following is over simplified, but I hope a good starting point.

The first question that you need to answer is "What permissions do I need
on the local end?". Typically if you are backing up the entire system
then you will need to be "root" on the local machine, but if it is only
your files then you can just use your normal user account.

Then you need to know what permissions you need on the remote machine. If
you need to create files that are owned by many different accounts then
you probably need to be "root" on the far end. (Some versions of Unix
allow you to change the ownership of files if you own them and are not
root, but most do not). If you only need to create files owned by
yourself then you probably don't need to be "root".

Now that you know what accounts you need, .......

"I won't allow ssh root logins". Presumably you are thinking about not
allowing interactive login shells for "root". However ssh allows much
more control, in particular in the file "~/.ssh/authorized_keys" you can
add a 'command="/usr/bin/wibble"' to a key to restrict what that key can
do. You can also specify 'from="pattern-list"' so you could set things up
so the remote machine does allow you to have a public-key private-key
pair to allow you to launch rsync as root on the remote machine but only
from your local machine, and not to launch anything other than rsync.

You might be thinking of running rsync in daemon mode on the far end. In
this way of operation the far end listens (either directly or via some
other program like inetd or xinetd) to command on a TCP port.

Others in this thread have mentioned using other tunneling techniques.

As a general comment, you need to decide what your security goals are,
and then set out to achieve them. Not allowing root logins on the remote
box is meaningless if I can use rsync to overwrite the password file and
the sshd.conf file by sending in a carefully constructed request.

[Guillaume Dargaud]

> The first question that you need to answer is "What permissions do I need
> on the local end?". Typically if you are backing up the entire system
> then you will need to be "root" on the local machine, but if it is only
> your files then you can just use your normal user account.

Thanks for the detailed answer. Indeed mixed accounts seem messy to backup
remotely.
I think what I saw where the --super and/or --fake-super options but they
don't apply well in that case.
Replacing a simple "sudo rsync /a /b" by multiple ones that respect the
various accounts is possible in some cases (for user accounts), but not for
others.

Anyway, thanks for the info about the specific ssh root ssh without login,
that's probably the simplest way to do it.

> As a general comment, you need to decide what your security goals are,
> and then set out to achieve them. Not allowing root logins on the remote
> box is meaningless if I can use rsync to overwrite the password file and
> the sshd.conf file by sending in a carefully constructed request.

Indeed !

[Guillaume Dargaud]

Thomas 'PointedEars' Lahn wrote:

> Fix your From header field value so that it complies with RFC 5536.

From: Thomas 'PointedEars' Lahn <Point...@web.de>
From: Guillaume Dargaud <use_the_co...@www.gdargaud.net>

Care to tell me what is wrong with my From header ?!?
If you complain about everyone who puts an invalid email in there to avoid
spam, you must be a pretty busy man.

[Thomas 'PointedEars' Lahn]

Guillaume Dargaud wrote:

> Thomas 'PointedEars' Lahn wrote:
>> Fix your From header field value so that it complies with RFC 5536.
>
> From: Thomas 'PointedEars' Lahn <Point...@web.de>
> From: Guillaume Dargaud <use_the_co...@www.gdargaud.net>
>
> Care to tell me what is wrong with my From header ?!?

use_the_co...@www.gdargaud.net is not an e-mail address:

| Verifying <use_the_co...@www.gdargaud.net>...
| Mail exchanger(s) for www.gdargaud.net: none.
| `A' record for www.gdargaud.net:
| www.gdargaud.net has address 74.53.251.139
|
| […]
| spawn telnet -- 74.53.251.139 smtp
| Trying 74.53.251.139...
| telnet: Unable to connect to remote host: Connection refused

RFC 5536 (“NetNews Message Format”) requires that the “From” header field
contains an e-mail address (“mailbox”):

<http://tools.ietf.org/html/rfc5536#section-3.1.2> p.

By forging the “From” header field you are helping spammers –

<http://www.interhack.net/pubs/munging-harmful/>

– and you are probably violating the Acceptable Use Policy of your service
provider, in2p3.fr or ac-versailles.fr:

<http://www.ac-versailles.fr/public/jcms/p1_19015/site-internet-de-lacademie-de-versailles-mentions-legales#titre10>

(violating Internet standards is _not_ “good use of the Internet”)

> If you complain about everyone who puts an invalid email in there to avoid
> spam, you must be a pretty busy man.

<hint-hint-hint>

I am giving this friendly hint only to those people whom have not
automatically killfiled yet. I am not the only one who does this.

</hint-hint-hint>


F'up2 poster
--
PointedEars

[Bit Twister]

On Thu, 30 May 2013 14:30:30 +0200, Guillaume Dargaud wrote:

> From: Guillaume Dargaud <use_the_co...@www.gdargaud.net>
>
> Care to tell me what is wrong with my From header ?!?

Well for starters, spammers add the email address to their spam list
and their botnet zombies send out email. That causes extra load on
target mail servers which send back no such user therefore creating
more load on the Internet.

Just put <use_the_co...@www.gdargaud.net> in you signature file
and use something like
see_my_s...@mouse-potato.com or see_my_s...@nomail.afraid.org in
its place.

If curious where the zombie would send their spam, do a
ping mouse-potato.com or ping nomail.afraid.org
and check the ip address. 8-)

[Seebs]

On 2013-05-30, Tony the Tiger <to...@tiger.invalid> wrote:
> So, if that's a prerequisite to visit this group,

It's not.

I mean, there's a lot of reasons to prefer having a way for people to reach
you, but ultimately it's your call. I have known awesome people on Usenet
who didn't have "real" email addresses. The only real thing I'd advocate is
that fake ones should be .invalid or otherwise unlikely to cause problems
when spammers try to spam them.

-s
--
Copyright 2013, all wrongs reversed. Peter Seebach / usenet...@seebs.net
http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures
Autism Speaks does not speak for me. http://autisticadvocacy.org/
I am not speaking for my employer, although they do rent some of my opinions.

[Alan Gutierrez]

On 5/15/13 5:33 AM, Guillaume Dargaud wrote:

> I do my backups with rsync, but since I won't allow ssh root logins, I
> always thought that I had to physically connect the disk to the PC.
>
> Since I keep my backups offsite, I'd much rather also do the backup via ssh.
>
> I recently saw an comment mentioning that it is possible for rsync to become
> root without using a root login. But there were no details.
>
> Can anybody fill me up on that ? Is it some ssh command with a sudo inside
> or something ?

Yes. Use the --rsync-path option to specify a sudo wrapper.

rsync -a -e "ssh" --rsync-path="sudo rsync" \
us...@server.domain.com:/opt/ /archive/opt/

That works if everything you copy is readable, but if you're going to
copy read-only files you're going to need to invoke rsync as root.

I use an ssh agent, so I add `-E` so that the environment variables that
describe the location of the agent socket propagate to the root user.
That way `ssh` can use my agent instead of looking for a key in roots
`~/.ssh`.

sudo -E rsync -a -e "ssh" --rsync-path="sudo rsync" \
us...@server.domain.com:/opt/ /archive/opt/

When I use `sudo` and you've already connected using ordinary `ssh`,
you'll probably be surprised when `ssh` asks you to confirm the server
key. That's because when you run as root, `ssh` uses root's
`~/.ssh/known_hosts`. I like to just tell `ssh` to use the known hosts
file of the sudoer.

sudo -E rsync -a \
-e "ssh -o UserKnownHostsFile=$HOME/.ssh/known_hosts" \
--rsync-path="sudo rsync" \
us...@server.domain.com:/opt/ /archive/opt/

If you're not using an agent, you'll have to specify which private key
to use to authenticate.

sudo rsync -a \
-e "ssh -i $HOME/.ssh/id_rsa \
-o UserKnownHostsFile=$HOME/.ssh/known_hosts" \
--rsync-path="sudo rsync" \
us...@server.domain.com:/opt/ /archive/opt/

Mix or match the above to the the sudo rsync sudo invocation you need.

I am forever grateful for:

http://crashingdaily.wordpress.com/2007/06/29/rsync-and-sudo-over-ssh/

--
Alan Gutierrez ~ @bigeasy

[Thomas 'PointedEars' Lahn]

Bit Twister wrote:

> On Thu, 30 May 2013 14:30:30 +0200, Guillaume Dargaud wrote:
>> From: Guillaume Dargaud <use_the_co...@www.gdargaud.net>
>>
>> Care to tell me what is wrong with my From header ?!?
>
> Well for starters, spammers add the email address to their spam list
> and their botnet zombies send out email. That causes extra load on
> target mail servers which send back no such user therefore creating
> more load on the Internet.
>
> Just put <use_the_co...@www.gdargaud.net> in you signature file
> and use something like
> see_my_s...@mouse-potato.com or see_my_s...@nomail.afraid.org in
> its place.

Just to let you know, that is even more anti-social than using .invalid:

> If curious where the zombie would send their spam, do a
> ping mouse-potato.com or ping nomail.afraid.org
> and check the ip address. 8-)

Sadly, you have no clue how the Internet works. The people at Name.com LLC
are currently getting the spam targeted at your From “address”, and it is
one Joshua Anderson in California, United States, who gets the spam targeted
at afraid.org. Or anyone else (or they postmasters) who happen to register
a domain name that you, in your blissful ignorance, considered “fake”.

[David W. Hodgins]

On Thu, 13 Jun 2013 08:21:47 -0400, Thomas 'PointedEars' Lahn <Point...@web.de> wrote:

> Bit Twister wrote:
>> and use something like
>> see_my_s...@mouse-potato.com or see_my_s...@nomail.afraid.org in
>> its place.

> Just to let you know, that is even more anti-social than using .invalid:
>
>> If curious where the zombie would send their spam, do a
>> ping mouse-potato.com or ping nomail.afraid.org
>> and check the ip address. 8-)
>
> Sadly, you have no clue how the Internet works. The people at Name.com LLC
> are currently getting the spam targeted at your From “address”, and it is
> one Joshua Anderson in California, United States, who gets the spam targeted
> at afraid.org. Or anyone else (or they postmasters) who happen to register
> a domain name that you, in your blissful ignorance, considered “fake”.

The point that has been missed, is that mouse-potato.com and
nomail.afraid.org are not fake host names.

$ host mouse-potato.com
mouse-potato.com has address 127.0.0.1
mouse-potato.com mail is handled by 10 127.0.0.1.mouse-potato.com

$ host nomail.afraid.org
nomail.afraid.org has address 127.0.0.212
nomail.afraid.org mail is handled by 10 nirvana.admins.ws.

In the case of nomail.afraid.org, that is a hostname I registered back
in 2005. The mx record points to a spamtrap address.

Note that someone would have to send 50 messages from the same ip to
the spamtrap, within a 7 day period, to get listed. Fore details, see
http://www.uceprotect.net/en/index.php?m=3&s=3

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[Bit Twister]

On Thu, 13 Jun 2013 14:21:47 +0200, Thomas 'PointedEars' Lahn wrote:
>
> Just to let you know, that is even more anti-social than using .invalid:

Only to the node sending to mouse-potato.com

>
>> If curious where the zombie would send their spam, do a
>> ping mouse-potato.com or ping nomail.afraid.org
>> and check the ip address. 8-)
>
> Sadly, you have no clue how the Internet works.

You might be right. I thought if someone sent some mail to
bittw...@mouse-potato.com, their system would do a dns look up for
mouse-potato.com and send the mail to
bittwister@whatever_ip_address_was_returned.

Click up a terminal and do a nslookup mouse-potato.com and tell me
what ip address would receive the mail.

[Barry Margolin]

In article <slrnkrk3nn.g...@wb.home.test>,

The MX record points to 127.0.0.1.mouse-potato.com, which doesn't have
any address (A or AAAA) records. So no machine should receive the mail.

mouse-potato.com has an A record that points to 127.0.0.1. But this
would only be used for mail delivery if there were no MX record. The
unusable MX record should prevent this, but I'll bet there are some
non-conforming MTAs and spam-cannons that will use it.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

[Thomas 'PointedEars' Lahn]

Barry Margolin wrote:

> Bit Twister <BitTw...@mouse-potato.com> wrote:
>> On Thu, 13 Jun 2013 14:21:47 +0200, Thomas 'PointedEars' Lahn wrote:
>> >
>> > Just to let you know, that is even more anti-social than using
>> > .invalid:
>>
>> Only to the node sending to mouse-potato.com
>>
>> >
>> >> If curious where the zombie would send their spam, do a
>> >> ping mouse-potato.com or ping nomail.afraid.org
>> >> and check the ip address. 8-)
>> >
>> > Sadly, you have no clue how the Internet works.
>>
>> You might be right. I thought if someone sent some mail to
>> bittw...@mouse-potato.com, their system would do a dns look up for
>> mouse-potato.com and send the mail to
>> bittwister@whatever_ip_address_was_returned.
>>
>> Click up a terminal and do a nslookup mouse-potato.com and tell me
>> what ip address would receive the mail.
>
> The MX record points to 127.0.0.1.mouse-potato.com, which doesn't have
> any address (A or AAAA) records. So no machine should receive the mail.

That is only half the truth. AIUI, because it cannot be delivered, the e-
mail will bounce back to its sender as identified by the “From” header field
whose value which will probably contain a harvested address if the mail is
sent by a spammer. When identifying a mailbox, it will be delivered to the
mailbox of the innocent person whose address has been harvested before.
When not identifying a mailbox, it will probably bounce back to and forth
between the MTAs a couple of times until one of them gives up. Big time.

> mouse-potato.com has an A record that points to 127.0.0.1. But this
> would only be used for mail delivery if there were no MX record. The
> unusable MX record should prevent this, but I'll bet there are some
> non-conforming MTAs and spam-cannons that will use it.

Why do you consider the MX record for nomail.afraid.org “unusable”?

[Octothorpe]

On Thu, 13 Jun 2013 21:56:16 +0200, Thomas 'PointedEars' Lahn wrote:

[putolin]

>
>> mouse-potato.com has an A record that points to 127.0.0.1. But this
>> would only be used for mail delivery if there were no MX record. The
>> unusable MX record should prevent this, but I'll bet there are some
>> non-conforming MTAs and spam-cannons that will use it.
>
> Why do you consider the MX record for nomail.afraid.org “unusable”?

It was the MX record for mouse-potato.com.

Any way a MX record needs an A record tied to it and mouse-potato doesn't
have one, hence it is invalid.