Give user permissions to all files and folders

Question

I want to have a user who has access to all the files and folders on the system. This is for the purpose of using RSYNC on a local machine to backup a remote machine.

At the moment we are using the user backups and although we have added this user to the groups sudo and admin rsync still returns messages like:

rsync: opendir "/location/to/folder" failed: Permission denied (13)

rsync: send_files failed to open "/location/to/file": Permission denied (13)

Any idea how we give the user backups permission to access everything (short of adding the user to all groups ever - the remote server we are trying to backup is a dedicated hosting server where every account has its own user on the system).

Thanks for any help.

Answer 1

Just adding the user backups to the user group sudo does not automatically give the account access to all files on the system. It gives the user the permission to run the sudo command.

Since you are using public key authentication (presumably without a passphrase), I would approach this with security and ease of implementation in mind. Using ssh allows you to restrict the user to execute only very specific commands. In this case, you can allow the user backups to execute rsync with superuser permissions.

You have already performed the key exchange and verified authentication is successful. In the authorized_keys file on the remote host that you are backing the /home directory from, you can add a command= directive to the key that is used by the user backups. This directive will only allow that command to be run when that key is used for authentication. So the first field of the key would look similar to this:

command="/path/to/sudo /path/to/rsync -az /home /local/folder" ssh-rsa AAAAB3NzaC1yblahblahblah

You can go even further and add more options to the key, such as from=myhost,no-pty,no-X11-forwarding.

This should give you decent security and not require you to modify the underlying file system permissions. You will probably need to play with the command that you place in the authorized_keys file until it works like you expect; it may take a bit to wrap your brain around it. The command specified in the authorized_keys will basically override the rsync options you will pass from the connecting host.

Lots of good information in man sshd. You want to specifically read the AUTHORIZED_KEYS FORMAT section.

Answer 2

One option is to run an rsync server on the remote system.

Basically, create an rsync.conf with uid=root then use rsync -az rsync://domain.com.

See http://pastebin.com/5hQx1mRV for an example someone else wrote and Configuring the rsync daemon for some basics of enabling a server in Ubuntu.

Note that you have to consider the security of this. A better approach is probably to make the remote system push to your local system.

Answer 3

You could perhaps use ACL if the underlying filesystem supports it.

You should add the group backup in the ACL of each file and directory. But to be added automatically for newly created file and directory, you should first set the default ACL to all existing directories. So on the remote server:

sudo find /home -type d -print0 | xargs -0 setfacl -d -m group:backup:r-x

Then you should have rx permission for all existing directories and read for files. You can do this with 2 commands (without the -d this time)

sudo setfacl -R -m group:backup:r-- /home
sudo find /home -type d -print0 | xargs -0 setfacl -m group:backup:r-x

This will give you extra permission to read the files to the group backup without changing the existing user and group that own each file.

Note: to accelerate the find | xargs command you can add the following option to the xargs command: -P n with n the number of parallel process. You can set it to the number of cpu you have on your machine + 1.