ExampleRsyncScripts

From Qmail Info Wiki

i'm assuming you've read "man rsync" and understand basically how it works. (note that a previous version of this page recommended that you run an "rsync server" on port 873... i don't know how that remark got in there. it is not needed for this scenario and is in fact a security hole. -jms1)

i'm backing up my vpopmail directory as part of a larger "mirroring" job, where a machine at my house (with a non-static IP address) "pulls" any files which have changed from the server. it also uses ssh as the transport, because the native rsync protocol is not secure- both because it's not encrypted, and because the authentication can be forged fairly easily.

here's how it works for me... and before anybody asks, "zippy" is the server's name.

this is "/root/bin/backup-zippy", the script which does the work: 

    #!/bin/sh

    export MAILTO=_______@____.___
    export RSYNC_RSH="/usr/bin/ssh -i /root/bin/id_dsa_rsync-backup"

    unset SSH_AUTH_SOCK

    if egrep -q '^rsync.*/backup/zippy' /proc/*/cmdline > /dev/null  2>&1
    then
            echo `date` already in progress >> /backup/zippy.log
            exit 0
    fi

    echo `date` starting >> /backup/zippy.log

    if [ "$1" == "-v" ]
    then
            OPTV="-v"
    else
            OPTV=""
    fi

    rsync -aS $OPTV --delete \
            root@zippy:/boot/ /backup/zippy-boot/

    rsync -aS $OPTV --delete \
            --exclude=/boot                         \
            --exclude=/dev                          \
            --exclude=/proc                         \
            --exclude=/tmp                          \
            --exclude=/var/lib/pgsql/data           \
            --exclude=/var/lib/mysql                \
            --exclude=/var/qmail/queue              \
            --exclude=/var/qmail/scan               \
            --exclude=/var/tmp                      \
            root@zippy:/ /backup/zippy-root/

    rv=$?
    echo rv=$rv

    echo `date` done rv=$rv >> /backup/zippy.log

the RSYNC_RSH environment variable tells rsync what program to use to contact the remote machine.

on the server, i had to configure sshd to allow root logins, but only when authenticating with a key- you can't log in as root with the password. the /etc/ssh/sshd_config file has this line... 

   PermitRootLogin without-password

if your sshd_config file already has "PermitRootLogin yes", you may want to change it to "without-password" so that even if somebody gets your root password, they won't be able to ssh in with the password.

and as a safety feature, when i added the key to the /root/.ssh/ authorized_keys file, i also added a forced command so that the key cannot be used to get an ordinary root shell. the /root/.ssh/ authorized_keys line looks like this: 

   command="/root/.ssh/rsync-key" ssh-dss  AAAAB3NzaAAA4fobEeQMoC6vRInbeNy5PukQ5fAkCc+Vr...

and the "/root/.ssh/rsync-key" script looks like this: 

   #!/bin/sh
   logger -t ssh-command "$SSH_ORIGINAL_COMMAND"
   echo $SSH_ORIGINAL_COMMAND > /tmp/work.$$
   if ! grep -q '^rsync --server ' /tmp/work.$$
   then
           logger -t rsync-key INVALID COMMAND  "\"$SSH_ORIGINAL_COMMAND\""
           exit 1
   fi
   rm /tmp/work.$$
   exec $SSH_ORIGINAL_COMMAND
Retrieved from "http://www.qmailinfo.org/index.php/ExampleRsyncScripts"