- You’re logged in to hostA
- You need to rsync some files from hostB to hostA
- The files on hostB are only readable by root and they must be written by root locally (hostA)
- You have sudo access to root on both
- You have ssh public key access to both
- root can’t ssh between the two
Normally you’d do this:
hostA$ rsync -av hostB:/foo/ /foo/
but you can’t because your user can’t read /foo on hostB.
So then you might try making rsync run as root on hostB:
hostA$ rsync --rsync-path='sudo rsync' -av hostB:/foo/ /foo/
but that fails because ssh needs a pseudo-terminal to ask you for your sudo password on hostB:
sudo: no tty present and no askpass program specified rsync: connection unexpectedly closed (0 bytes received so far) [Receiver] rsync error: error in rsync protocol data stream (code 12) at io.c(226) [Receiver=3.1.1]
So then you can try giving it an askpass program:
hostA$ rsync \ --rsync-path='SUDO_ASKPASS=/usr/bin/ssh-askpass sudo rsync' \ -av hostB:/foo/ /foo/
and that nearly works! It pops up an askpass dialog (so you need X11 forwarding) which takes your password and does stuff as root on hostB. But ultimately fails because it’s running as your unprivileged user locally (hostA) and can’t write the files. So then you try running the lot under sudo:
hostA$ sudo rsync \ --rsync-path='SUDO_ASKPASS=/usr/bin/ssh-askpass sudo rsync' \ -av hostB:/foo/ /foo/
This fails because X11 forwarding doesn’t work through the local sudo. So become root locally first, then tell rsync to ssh as you:
hostA$ sudo -i hostA# rsync \ -e 'sudo -u youruser ssh' \ --rsync-path 'SUDO_ASKPASS=/usr/bin/ssh-askpass sudo rsync'\ -av hostB:/foo /foo
Answer cobbled together with help from dutchie, dne and dg12158. Any improvements? Not needing X11 forwarding would be nice.
- Use tar:
$ ssh \ -t hostB 'sudo tar -C /foo -cf - .' \ | sudo tar -C /foo -xvf -
- Add public key access for root
- Use filesystem ACLs to allow unprivileged user to read files on hostB.
2 thoughts on “rsync and sudo conundrum”
If on hostB you’re prepared to make sudo auth caches shared between all a user’s connections (rather than per-TTY per-user) then you can avoid the X forwarding.
hostA$ ssh -t hostB sudo visudo
Add this line:
Save and exit that, then this should work:
hostA$ ssh -t hostB sudo -v && sudo rsync -e “sudo -u $USER ssh” –rsync-path=’sudo rsync’ -av serverB:/foo /foo
The first prompt will be for your password on hostB (from the sudo -v) and the second on hostA (from the sudo rsync).