0

I want to synchronize (both directions) a certain folder between a server (S) and a local machine (L). On both S and L, I have the same system (Ubuntu) and a user jan, with sudo privileges (i.e. in admin group). The SSH access to S is possible only with key authorization.

I figured I can use unison for this. And I have created a new key pair with empty password. The problem is that I do not want to allow unlimited access to this password-less key.

(EDIT: I want to (e.g.) distinguish between different SSH authorized keys for the same user - and in one case restrict the access to only one directory and if possible only to run a specific command - as with rrsync below.)

I could use rsync. It has a server-side script rrsync and you can then restrict the access for the key in the authorized_keys file:

command="$HOME/bin/rrsync -ro /home/jan/sync_folder/".

But rsync cannot handle deleted files etc.

Another option is to set chroot jail on the server, but I still need to be able to access the server freely with my first key.

I could create a new user account, through which the synchronization would be done (and apply chroot jail + not included in admin group), but then I would lose the meta-information about the files (ownership, permissions). All files are owned by only one user (so ownership is not an issue), but some files are executable scripts, some not.

Any ideas how to synchronize the folders, while keeping the access secure? I have no preference in the tool. Those above are just what I have found after some studying.

galapah
  • 101
  • 1

2 Answers2

1

Why shouldn't rsync handle deleted files? --delete is supposed to do exactly that.

Actually there is a question without command-only keys on ask-ubuntu

Community
  • 1
user2563336
  • 116
  • 4
  • I wanted to use rsync, but was discouraged by: http://stackoverflow.com/questions/1602324/rsync-how-do-i-synchronize-in-both-directions and http://www.cis.upenn.edu/~bcpierce/unison/ – galapah Mar 28 '17 at 13:51
  • And as for the link you provided: as symcbean already mentioned below: I want to delete a file in S when that file was deleted in L and vice versa, but I want to copy a new file when it was created at any of the two locations (SIMPLY: sync including delete). It seems to me rsync cannot do this. The link shows how to delete files not present in one location. – galapah Mar 28 '17 at 13:55
0

This should be a comment, but its a bit long.

You need to define your problem better before you'll get a sensible answer (rather than guesses).

If the fileset includes files owned by different users then the writing side needs to run as root. That does not require the channel to run as root. The confusion over rsync arises from your need to support both file deletions and bi-directional sync. If a file exists at node 'A' but not node 'B', does that mean it has been deleted on node 'B' or has recently been created on node 'A' - anything which does not preserve state between invocations cannot tell.

There are no end of tools you can use to replicate files - drbd with mirroring to a local physical disk, ssh filesystems, the Andrew File System, and many more. Maybe your choice of unison over ssh is an arbitrary constraint. Although if you were to simply ask what the options are for mirroring a filesystem across hosts, you're question would likely get closed as "too broad".

I do not want to allow unlimited access to this password-less key

What do you mean by "unlimited access"? As per above, the writing end needs to run as 'root'. Are you seeking to restrict what root can do on a Unix system? That's possible - but very difficult.

symcbean
  • 19,931
  • 1
  • 29
  • 49
  • Thanks. I have edited the post. 1) I have no preference of the tool. This is what I have found. 2) Files are owned just by one user so sudo should not be necessary. I suppose I could create another user (without admin group, but in the "jan" group), a member of a chroot-restricted group. And periodically run a script for changing the ownership. Or? I am looking for the simplest solution. AFS sounds interesting, but I would have to change the partitions on both computers and especially allocate a fixed portion of the disk. – galapah Mar 28 '17 at 13:49