rrsync Setup Notes

25 February 2019 config

rrsync is a wrapper script which limits the access of rsync to a sub-hierarchy of the filesystem. this is useful for automated tasks like backups or deploying things. i bet there are plenty other write-ups on this, so i have to add mine.

rrsync is usually included in your distributions rsync package, /usr/doc/rsync on slackware. i’ll just assume here that it is somewhere in $PATH.

create an additional ssh-key for rrsync usage

we want a new ssh key for this, which will be limited to executing the rrsync script:

ssh-keygen -f .ssh/id_rsa_deploy

for the best plug&play experience, use an empty passphrase.

copy the keys public part & add options

usually ssh-copy-id can be used for this, but as we want to add options it can be done manually aswell. the resulting line in .ssh/authorized_keys should look like this:

command="rrsync /rsync/base/path",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAA[...]

run run a limited rsync with

rsync -e "ssh -i $HOME/.ssh/id_rsa_deploy" -v -a path/ remote:subdir/

note that the remote rsync sees the filesystem like chrooted, you only have to give it subdir, not /rsync/base/path/subdir