Run an rsync replication script under a user other than root

Solution 1:

You can use fakeroot -s:

   -s save-file
          Save  the  fakeroot  environment to save-file on exit. This file
          can be used to restore the environment later using -i.  However,
          this  file will leak and fakeroot will behave in odd ways unless
          you leave the files touched inside the fakeroot alone when  out‐
          side the environment. Still, this can be useful. For example, it
          can be used with rsync(1) to back up and restore whole directory
          trees  complete  with user, group and device information without
          needing to be  root.  See  /usr/share/doc/fakeroot/README.saving
          for more details.

Solution 2:

Rather that using a different account have you considered only allowing forced commands with your ssh key? I wrote about how to set this up for rsync on my blog a while ago.

What it means is that the ssh key could only be used to run the exact rsync command you've specified, and nothing else.

Setting up a backup user isn't something I've looked at before, but I'd expect it to be a lot more work - also, since this is a multi-user system how would you ensure that all the files were readable by this user?

Solution 3:

I would configure an rsync server on the production system such that it allows read-only access to the production data.

Something like this would handle that:

# cat /etc/rsyncd.conf
uid = nobody
gid = nobody
use chroot = yes
max connections = 4
syslog facility = local5
pid file = /var/run/rsyncd.pid

[prd_data]
  path = /path/to/prd_data
  comment = Production data
  read only
# grep rsync /etc/inetd.conf
rsync   stream  tcp     nowait  root   /usr/bin/rsync rsyncd --daemon
# grep rsync /etc/services
rsync           873/tcp

Then on the backup side, you can configure a fakeroot environment if necessary, then run:

# rsync -az --delete rsync://prod_server/prd_data /path/to/fakeroot