Run rsync with root permission on remote machine
Andrew Henderson 
I want to sync a folder from my machine with a folder on a remote machine. The remote folder can only be manipulated by root. I have an account on the remote machine which can use sudo. How can I run rsync such that it has root permissions on the remote machine?
I've tried the following:
rsync -avz -e ssh /home/ubuntu/my/lovely/folder ubuntu@x.x.x.x:/remote/lovely/folder --delete --rsync-path="sudo rsync"But (after entering my password) I get the following error:
sudo: no tty present and no askpass program specified10 Answers
Try this solution. In your sudoers file (/etc/sudoers) setup your user like this:
username ALL= NOPASSWD:/usr/bin/rsyncthe NOPASSWD:/usr/bin/rsync tells sudo that when your user runs /usr/bin/rsync or just rsync that no password is needed.
Then your original --rsync-path="sudo rsync" should work.
This is the solution I came up with:
rsync -R -avz -e ssh --rsync-path="echo mypassword | sudo -S mkdir -p /remote/lovely/folder && sudo rsync" /home/ubuntu/my/lovely/folder ubuntu@x.x.x.x:/remote/lovely/folder --deleteBit of a mission!
4The solution on this blog worked really well for me: .
Basically:
stty -echo; ssh myUser@REMOTE_SERVER "sudo -v"; stty echo
rsync -avze ssh --rsync-path='sudo rsync' myUser@REMOTE_SERVER:/REMOTE_PATH/ LOCAL_PATH The first line allows for interactive password entry, without showing the password on the screen. Works great for me on Ubuntu 9.04.
6I'm amazed by the complexity of the existing answers! It's far easier and convenient to configure your systems (your PC and the remote host) so that you can connect as root to the remote host without using a password. And although it sounds scary it is quite secure.
- On the remote host make sure that /etc/ssh/sshd_config has this line "PermitRootLogin without-password" (in many distributions it's there by default). This allows root to get an ssh shell using any authentication method except the insecure password prompt.
- (If you don't already know how) follow any of the many tutorials on how to obtain passwordless login via ssh
- Use rsync as you would normally do and without any password prompts.
Just don't forget that as long as the line in /root/.ssh/authorized_keys of the remote host is there that machine accepts root commands from your PC.
1You need a method to supply the password to sudo. An askpass program is designed to ask for passwords when the normal mechanisms aren't available. Setting up sudo to not require a password to run rsync as your userid is one option.
I normally configure key based login with appropriate restrictions for cases like this. If you configure a restricted key that an only run rsync as root then this kind of thing gets easier to do. Another alternative is to use an rsycnd process to handle the remote requests. The configuration provides a variety of restrictions that can be applied.
EDIT: I included a script to setup keys for key based loings in the Creating Userids on Clients section of my post on Setting up BackupPC on Linux. See also the documenation for ssh_config which details some of the things you can do with resticting key usage as shown in the script.
2on remote machine
sudo apt install ssh-askpass
which ssh-askpassthen on local machine
rsync -av -e 'ssh -X' --rsync-path='SUDO_ASKPASS=/usr/libexec/openssh/ssh-askpass sudo -A rsync' /some/local/path user@remote:/some/remote/pathsubstitute path to ssh-askpass with actual path on remote machine
source:
Here is what worked for me, considering that I want to keep password authentication (so I don't want to use NOPASSWD or keys) - on Ubuntu 14.04:
- "Open up"
sudoon remote machine by disablingtty_ticketsthrough a temporary file in/etc/sudoers.d/(which should be supported on Debian, see/etc/sudoers.d/README), and "Update the user's cached credentials", which "extends the sudo timeout for another 15 minutes" - Run the
rsyncwithsudoas shown in other answers - "Close down"
sudoon remote machine by removing the temporary file in/etc/sudoers.d/, which re-enablestty_tickets
... or, with command lines:
ssh -t $REMOTEPC 'echo "Defaults !tty_tickets" | sudo tee /etc/sudoers.d/temp; sudo -v'
rsync -aP -e 'ssh' '--rsync-path=sudo rsync' /etc/pulse/client.conf $REMOTEPC:/etc/pulse/client-copy.conf
ssh -t $REMOTEPC 'sudo rm -v /etc/sudoers.d/temp; sudo -v'These are the responses I get when running these commands on the local machine:
$ ssh -t $REMOTEPC 'echo "Defaults !tty_tickets" | sudo tee /etc/sudoers.d/temp; sudo -v'
remoteuser@$REMOTEPC's password:
[sudo] password for remoteuser:
Defaults !tty_tickets
Connection to $REMOTEPC closed.
$ rsync -aP -e 'ssh' '--rsync-path=sudo rsync' /etc/pulse/client.conf $REMOTEPC:/etc/pulse/client-copy.conf
remoteuser@$REMOTEPC's password:
sending incremental file list
client.conf 1269 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=0/1)
$ ssh -t $REMOTEPC 'sudo rm -v /etc/sudoers.d/temp; sudo -v'
remoteuser@$REMOTEPC's password:
removed ‘/etc/sudoers.d/temp’
[sudo] password for remoteuser:
Connection to $REMOTEPC closed.Note that sudo -v should be ran after each time files in /etc/sudoers.d/, so the changes therein are accepted.
Another method is to get around the permissions restrictions by initiating rsync on the remote machine. Instead of:
rsync /home/ubuntu/my/lovely/folder ubuntu@x.x.x.x:/remote/lovely/folderYou can do:
ssh ubuntu@x.x.x.x 'rsync ubuntu@y.y.y.y:/home/ubuntu/my/lovely/folder /remote/lovely/folder'Where y.y.y.y is your local machine's IP address. This only works if your local machine can act as an SSH server.
My workuround is to add --rsync-path="echo PASSWORD | sudo -Sv && sudo rsync"
example:
rsync -avz -e ssh /home/ubuntu/my/lovely/folder ubuntu@x.x.x.x:/remote/lovely/folder --delete --rsync-path="echo <PASSWORD> | sudo -Sv && sudo rsync"
It usually isn't a good idea to put passwords into a command line one-liner; they become visible in the process tree, for example. I sometimes replace the actual password in this type of statement with $( cat my_password.txt ) which is slightly better
rsync -avz -e ssh /home/ubuntu/my/lovely/folder ubuntu@x.x.x.x:/remote/lovely/folder --delete --rsync-path="cat my_password.txt | sudo -Sv && sudo rsync"
Run as cronjob in the background
Ok, so you have a few options here.
The ones above are pretty good when it comes to rsync as a normal user with sudo permissions on (both) other side(s).
I had this same problem, the only difference was that I wanted to run this as a cronjob at night.
Step 1
I work with ssh-keys (this makes it possible to login to a remote host without password authentication while still being very secure!!)
- Create a ssh-key on your source computer (server) with the following command:
ssh-keygenYou will be prompted a few options, just press enter every time (do not (enter) set a password!!).
This command creates 2 different keys. 1. An id_rsa_pub key: this key needs to be copied to the remote (destination server) host. 2. An id_rsa: this is a private key and you do not want to mess with this key. Make sure no one can see this key (read permissions). Only you should have the right to see this key.
Step 2
- The moment you have generated the keys, it is time to copy the id_rsa_pub key to the remote computer (server). You can do this with the following command:
ssh-copy-id You will be prompted to fill in your password for default ssh access. Just enter your password and the ssh-copy-id command will do the rest for you.
Time to test
- Now, ssh into the remote server (the destination you used with the ssh-copy-id command).
You can consider the test successful if you do not get to see a prompt to enter a password.
Now you can do rsync commands to a remote host without having to fill in a password all the time! Also you can autocomplete on the destination host from within your source host. That is pretty neat if you ask me (example ssh 192.168.1.100: "press two time the tab button to autocomplete the rest of the command. Note that the ip address 192.168.1.100 is the ip address of the destination server).
Now you can do a rsync command from a cronjob with a normal "sudo" user (no need for root access on both servers for ssh for using user root).
Just do the same as described above, but add one option:
sudo rsync --rsync-path="sudo rsync" -az --delete -e "ssh -p 1022 -l **buser** -i /home/**buser**/.ssh/id_rsa" /path/to/rsync :Note that buser (BackupUSER, is my user who uses the ssh-key to login through ssh without being prompted for a password). Change buser to your username who uses the ssh-key login method.
Note the last character in the command ends with a ":"This means that you are copying files to the home folder of the remote user. If you want to deviate to another location outside your home directory, you can achieve this by adding the absolute path after the ":" For example:
sudo rsync --rsync-path="sudo rsync" -az --delete -e "ssh -p 1022 -l **buser** -i /home/**buser**/.ssh/id_rsa" /path/to/rsync :/srv/backup_folderExplaining the option "ssh -p 1022 -l username -i /home/username/.ssh/id_rsa"
ssh -p 1022 ssh uses the default port 22. I deviate from the default port because my ssh-server listens to port 1022.
-l username the user defined who can login to the remote host with the ssh-key authentication method. In my case, this is the user BUSER.
-i (stands for Identity) uses the private key which we created with the ssh-keygen command. It points to where this key is stored. The default location is in the users home folder in a hidden directory called ssh (/home/username/.ssh/id_rsa).
I hope this will help other users to automate their backup through cron in a secure matter.
Double check
From the source machine (server), make sure you execute your command (script) as the ROOT user (if you make a cronjob, you have to make sure that you are the user root (#) when creating the cronjob)
Make sure the user on the destination server has sudo rights.
Make sure you have done the visudo as Keith describes in his answer!
