3

Assume two sites A and B with file server at either end. The contents of /storage should be synchronized between the sites, preserving ownership and permissions. There's no all encompassing group that group-owns all of the files in /storage. If running Unison or rsync pid=0 it is trivial to do the synchronization. However SSH is to be used as transport and for obvious reasons SSH root login has been disabled on both ends.

How can I keep A and B synchronized with all permissions preserved in that situation. Two methods I can think of:

  • Running a secondary SSH that permits root logins yet may only connect over a VPN between A and B.
  • adding a special synchronization user which sshd configuration forcibly executes a
    • SUID wrapper to Unison or rsync (dangerous to get right).
    • sudo wrapper to Unison or rsync

The answers given to the Question Remotely use root over ssh for unison suggest enabling password-less pubkey root login over SSH – I'm not very keen of that solution.

Any other ideas?

Community
  • 1
datenwolf
  • 289
  • 1
  • 11

2 Answers2

2

The public key root login over SSH is likely your best bet. You could furthermore restrict this access to a single host:

AllowUsers [email protected]

Or even use the Match directive to get a unique configuration for a given something (address, user, etc):

Match Address 192.0.2.123
    PasswordAuthentication no
    RSAAuthentication yes
    PubkeyAuthentication yes
    PermitRootLogin yes
Hyppy
  • 15,608
  • 1
  • 38
  • 59
1

How to run remote unison instance as root:

Remote side

  • don't touch your sshd config, especially don't create any special synchronization [ssh] user as you state in your question

  • create sudo wrapper vi sunison:

#!/data/data/com.termux/files/usr/bin/bash
su --preserve-environment -c `which unison` "$@"

(yes, this is for Termux environment, simplify to your needs)

Client side

  • run unison with -servercmd sunison
  • or add to your unison profile servercmd = sunison

Notes

  • something like servercmd = sudo unison would be best, but it didn't work for me
Vlastimil Ovčáčík
  • 214
  • 1
  • 3