rsync Permission denied backing up a remote directory to my local machine

I'm getting the error mentioned in the title.

I found this similar question: Run rsync with root permission on remote machine. That doesn't answer my question.

I'm the admin on the remote server and I want to use rsync to back up files to my local box. Here's my rsync command:

$ rsync -avz me@myserver.com:/var/www/ /backups/Sites/MySite/

It mostly works. Login is via a keypair. I don't and can't use a password (EDIT: to login via SSH). Just a few files won't transfer due to permissions. I don't want to change those permissions.

Here's the error:

receiving file list ... done
rsync: send_files failed to open "/var/www/webapp/securestuff/install.php": Permission denied (13)

I do not want to change the permissions on that file. It (and others like it) should not be readable (except by root).

This has to run in a cron job and I prefer a simple one-line solution using only the rsync command. The next choice would be a shell script I can call from the cron job. In no case can I manually log into the remote machine and become root (because I'll be sleeping when this runs.

How can I use rsync to back it up to my local box?

MountainX

Posted 2012-03-07T20:57:12.080

Reputation: 1 735

I got rsync: send_files failed to open "/cygdrive/...": Permission denied (13). So my source computer was Windows cygwin. Slightly different situation, but for posterity, my solution was to right-click cmd.exe and Run as administrator. – Bob Stein – 2019-02-23T08:18:42.550

can you please show us something like ssh me@myserver.com "cat /var/www/webapp/securestuff/install.php" >localfile ? – Florenz Kley – 2012-03-07T21:17:32.523

@Florenz Kley: I don't understand your comment – MountainX – 2012-03-07T21:43:39.883

show me that you can read the file and I show you a rsync command that works :-). Option #2 from grawity is probably your best bet. – Florenz Kley – 2012-03-07T22:07:30.900

@Florenz Kley: ssh me@myserver.com "echo mypassword | sudo -S cat /var/www/webapp/securestuff/install.php" > localfile – MountainX – 2012-03-08T03:37:32.737

Answers

You cannot back up a file which you cannot read otherwise, so the permissions will have to be either changed or overriden by root.

Your options in more detail:

Override the permissions by rsync'ing as root@myserver.com directly. (

...or by configuring sudo on the server to allow password-less running of the rsync server-side component.

me    ALL=(root) NOPASSWD: /usr/bin/rsync --server --sender -vlogDtprze.iLsf . /var/www/

and

rsync --rsh="ssh me@myserver.com sudo" -avz /var/www/ /backups/...

Create a dedicated "website-backup" account on the server. Change the files' permissions to make them readable to the "website-backup" account; you may use ACLs and setfacl for that. Do not use this account for anything else.
```
rsync -avz website-backup@myserver.com:/var/www/ /backups/sites/mysite/
```
Write a script on the server which would dump /var/www/ into an encrypted tarball. Again, this can be done as root (via crontab) or by configuring sudo to not require a password for that script. For example:
```
#!/bin/sh
tar c /var/www/ | gpg -e -r mountainx@example.com
```
Backup would be done by pulling the entire tarball every time, which might be inefficient with large sites:
```
ssh me@myserver.com "sudo /usr/sbin/dump-website" > /backups/sites/mysite.tar.gpg
```
The password requirement would be removed by editing sudoers:
```
me     ALL=(root) NOPASSWD: /usr/sbin/dump-website
```

user1686

Posted 2012-03-07T20:57:12.080

Reputation: 283 655

Thanks. Good suggestions. Either one will probably work for me. I'm also considering using the solution at http://superuser.com/questions/270911/run-rsync-with-root-permission-on-remote-machine if I can figure out its potential side effects.

– MountainX – 2012-03-07T21:17:35.267

BTW, I meant either of the last 2 choices. Logging in as root via SSH is not allowed on the server. – MountainX – 2012-03-07T21:18:39.167

@MountainX: I separated out "rsync via sudo" as a separate choice. It might work as well. – user1686 – 2012-03-07T21:20:17.167

Thanks! "rsync via sudo" would be my preferred choice. I will try your suggestion. It looks like I need to implement this using visudo on Ubuntu on the server. I haven't messed with visudo much, but you've given me enough to get me started. Thanks again. – MountainX – 2012-03-07T21:31:57.200

In the remote host you can run rsync daemon with

uid root

in the /etc/rsyncd.conf file.

This will allow the daemon to use the CAP_DAC_OVERRIDE capability and read the local file system without changing permissions/ownership.

If you need just to make a backup it's a good practice to set rsync to read only mode:

read only = true

altmas5

Posted 2012-03-07T20:57:12.080

Reputation: 310

If the files are only readable by root you need to have root access to back up the file by reading it from the file system. rsync is reading the files from the file system not from the raw device.

With the exception of dump, dd and similar backups that copy the partition rather that files, backups programs read the files from the file system. Backup utilities will fail to read and backup files for which the permissions of the user id used to run them prevent access. This is the case you are running into.

In most cases you need to trust your backup software enough to allow it to read all your data. This also means you need to trust your backup medium with all your data. In some cases you may want to exclude some files from backup and use an alternate method to backup their contents.

EDIT: As you are archiving the data (copying all permissions) you will need root access on both servers. If you are doing this as a backup you may want to look at a solution like BackupPC which uses rsync to read the files, but stores the files in its own directory tree.

BillThor

Posted 2012-03-07T20:57:12.080

Reputation: 9 384

There are ways to give rsync root access. I just don't know them. What I'm asking for is how to give rsync root access to back up these files. Maybe I need to revisit the answer to "Run rsync with root permission on remote machine" and see if I can figure it out... – MountainX – 2012-03-07T21:08:36.887