Rsync root files between systems without specifying password

This seems very tricky to me.

I've set up my two systems so that I can rsync files between them as me, without specifying password. Now the the problem is to rsync files that belong to root. On both of my systems, there are no root passwords. The only way to become root is via sudo. So I can neither give a password for sudo rsyn local root@remote:, no use my ssh-agent to supply pass phrase. I don't want to set up a root password on any systems; and I do need the files to be owned by root on both systems.

EDIT: Using the files that belong to root is just an example, I need a way for my unprivileged account to read/write system (including root-owned) files easily. One example is to copy my configured /root environment into the freshly-installed system. The two systems are actually two VMs under a single host, so it's not a big concern for me to copy root-owned files between them.

EDIT 2: If I only want to copy my configured /root environment into the freshly-installed system, I can use tar:

sudo tar cvzf - /root | ssh me@remote sudo tar xvzf - -C /

But I do need rsync to update from time to time. Any easy way to make it happen?

EDIT 3: Formally formulate the question

Alright, it all began with the question, how to rsync files that belong to root between two systems as a normal unprivileged user, without specifying password, under the condition that,

  1. The root account is locked on both of systems. I.e., there are no root passwords. The only way to become root is via sudo (recommended security practice, see http://help.ubuntu.com/community/RootSudo)
  2. I don't want a completely passwordless sudo but don’t want to be typing passwords all the time either.
  3. The normal unprivileged user has entered their ssh pass phrase into the ssh agent.

Thanks


Solution 1:

You can do it directly with rsync with creative using of --rsync-path option. So you would use:

rsync -a -e "ssh" --rsync-path="sudo rsync" localdir/ [email protected]:/remotedir

Note that this require that "sudo rsync" on remote host will NOT ask for passphrase. That can be accomplished in several ways:

  • doing sudo -v on remote before running rsync (ideal for one-off rsync jobs). Your sudo must not use tty_tickets option for this to work.
  • putting username ALL= NOPASSWD:/usr/bin/rsync in /etc/sudoers on remote host.
  • using pam-ssh-agent-auth on remote for /etc/pam.d/sudo

Of course, you could also instead of "rsync over ssh" use "rsync in daemon mode" (see rsyncd.conf(5) and /etc/default/rsync on Debian GNU/Linux for example) to accomplish what you want, with additional benefit of better speed of transfer.

Solution 2:

The solution.

  1. Adding the user's ssh key to remote root works, but only half way, i.e., now rsyn ... root@remote:... works. The challenging part is to get sudo rsyn ... work as well.
  2. To get sudo rsyn ... work, what's need is -- Using SSH agent for sudo authentication, http://www.evans.io/posts/ssh-agent-for-sudo-authentication/
  3. To install pam-ssh-agent-auth PAM module under Ubuntu, you can use the ppa that I've just built, https://launchpad.net/~suntong001/+archive/ppa. Tested fine under Ubuntu 12.04 precise, and 13.10 saucy.

HTH