We've been using rsync since forever to back up all our servers and it's worked without a problem. But in a recent security review, we noted that our specific rsync backup host is using root keys to access the server, meaning that if the keys on the backup server were leaked/compromised in any fashion, that would provide r00t access to the servers being backed up. Since this doesn't seem to be readily documented, I thought I'd provide it to the community. After some playing around, we've found it is possible to set up rsync/ssh so that the connecting server can ONLY run rsync with a predetermined set of options. // OBJECTIVES // 1) Make it so the backup server's SSH key can only be used A) in an rsync read-only. (no write capability to the production webserver) B) against a predetermined set of directories and with a predetermined set of options. 2) Limit the power of the webserver/backup account so that it cannot do anything other than a read-only rsync. 3) Limit access to the backup account to a specific IP address, EG: only the backup server can access the account. # ON WEBSERVER (note: normal account!) ------------------------------------- [root] # adduser backupaccount; # ON WEBSERVER in /home/backupaccount/.ssh/authorized_keys ("backupserver" must be the remote, publicly visible IP address of the backup server) ------------------------------------- from="backupserver" ssh-dss AAAAB3NzaC1kc3MAAACBAKLv/SNIP/ root at backupserver ------------------------------------- # ON BACKUPSERVER Verify that root at backupserver can log in normally via ssh without password: ------------------------------------- [root at backupserver] # ssh backupaccount at webserver # ON WEBSERVER In /etc/passwd. (change the shell at the end of the line) ------------------------------------- backupaccount:x:514:514::/home/backupaccount:/usr/local/bin/backupaccount.sh # ON WEBSERVER in /etc/sudoers ------------------------------------- backupaccount ALL=NOPASSWD: /usr/bin/rsync Defaults:backupaccount !requiretty ------------------------------------- # ON WEBSERVER And in /usr/local/bin/backupaccount.sh ------------------------------------- #! /bin/sh # look in this file to see what options were passed, if the rsync doesn't work. echo $* > /home/backupaccount/options.passed.sh # rsync -va backupaccount at WEBSERVER:/home/ /mnt/backup/home/ /usr/bin/sudo /usr/bin/rsync --server --sender -vlogDtpre.iLs . /home/ ------------------------------------- Note that in this solution, it doesn't matter what the backupserver specifies as the backup location, it will ALWAYS get /home/ and it may well break if you change the options any. EG: using "z" for compression, etc. If this happens, look in options.passed.sh to see what rsync on the backup server tried to pass and, if it makes sense, modify the backupaccount.sh script with these options, or modify backupaccount.sh so that it can take any of a number of source directories after appropriate validation.