Rsync command restriction over SSH

2010-12-29 18:36

You have 2 systems and you want to set up a secure backup with rsync + SSH of one system to the other.

Very simply, you can use:

backup.example.com# rsync -avz --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/

To do the backup, you have to be root on the remote server, because some files are only root readable.

Problem: you will allow backup.example.com to do anything on myserver.example.com, where just read only access on the directory is sufficient.

To solve it, you can use the command="" directive in the authorized_keys file to filter the command.

To find this command, start rsync adding the -e'ssh -v' option:

rsync -avz -e'ssh -v' --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/ 2>&1 | grep "Sending command"

You get a result like:

debug1: Sending command: rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/

Now, just add the command before the key in /root/.ssh/authorized_keys:

command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/" ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

And for even more security, you can add an IP filter, and other options:

from="backup.example.com",command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

Now try to open a ssh shell on the remote server.. and try some unauthorized rsync commands…

Notes:

  • Beware that if you change rsync command options, change also the authorized_keys file.
  • No need for complex chroot anymore. Forget my previous article: sftp-chroot-rsync

See also:

  • man ssh #/AUTHORIZED_KEYS FILE FORMAT
  • man rsync
  • view /usr/share/doc/rsync/scripts/rrsync.gz (restricted rsync, allows you to manage allowed options precisely)
2010-12-29 18:36 · Tags: , ,

Brasero Bug Copying Audio CD in Ubuntu Lucid

2010-05-20 23:53

Audio CD copy is actually not possible with Brasero on Ubuntu Lucid. All details in the bug report.

As a workaround, you must install cdrdao version 1.2.3, which is not yet available as a package.

To install it, you can use CheckInstall which is a bit cleaner than the old make install:

tar -xjvf cdrdao-1.2.3.tar.bz2
cd cdrdao-1.2.3/
./configure
make
sudo checkinstall make install

Note: the make command can fail because of missing dev packages you’ll have to install.

CheckInstall builds and installs a nice Debian package.

You can also use cdrdao directly. ps axf shows us the command Brasero is using:

cdrdao read-cd --device /dev/sr0 --read-raw --datafile /home/dooblem/brasero.toc.bin -v 2 /home/dooblem/brasero.toc

Here we go!

Links :

2010-05-20 23:53 · Tags: , , , , , , ,

Audio CD Backup/Archive

2010-05-20 23:34

It’s not possible to backup an audio CD as an iso image. This format is for data CDs.

You should use cdrdao.

Example:

cdrdao read-cd --read-raw --datafile FILE_NAME.bin --device /dev/cdrom --driver generic-mmc-raw FILE_NAME.toc

Under Ubuntu, you can use Brasero with “CD copy” mode. ps axf shows us the command Brasero is using:

cdrdao read-cd --device /dev/sr0 --read-raw --datafile /home/dooblem/brasero.toc.bin -v 2 /home/dooblem/brasero.toc

Note: there is a Brasero Bug in Ubuntu Lucid with cdrdao.

Links:

2010-05-20 23:34 · Tags: , , , ,