rsync Permission denied backing up a remote directory to my local machine

Question

I'm getting the error mentioned in the title.

I found this similar question: Run rsync with root permission on remote machine. That doesn't answer my question.

I'm the admin on the remote server and I want to use rsync to back up files to my local box. Here's my rsync command:

$ rsync -avz me@myserver.com:/var/www/ /backups/Sites/MySite/

It mostly works. Login is via a keypair. I don't and can't use a password (EDIT: to login via SSH). Just a few files won't transfer due to permissions. I don't want to change those permissions.

Here's the error:

receiving file list ... done
rsync: send_files failed to open "/var/www/webapp/securestuff/install.php": Permission denied (13)

I do not want to change the permissions on that file. It (and others like it) should not be readable (except by root).

This has to run in a cron job and I prefer a simple one-line solution using only the rsync command. The next choice would be a shell script I can call from the cron job. In no case can I manually log into the remote machine and become root (because I'll be sleeping when this runs.

How can I use rsync to back it up to my local box?

Answer 1

You cannot back up a file which you cannot read otherwise, so the permissions will have to be either changed or overriden by root.

Your options in more detail:

• Override the permissions by rsync'ing as root@myserver.com directly. (

• ...or by configuring sudo on the server to allow password-less running of the rsync server-side component.

  me    ALL=(root) NOPASSWD: /usr/bin/rsync --server --sender -vlogDtprze.iLsf . /var/www/
  

  and

  rsync --rsh="ssh me@myserver.com sudo" -avz /var/www/ /backups/...
  

• Create a dedicated "website-backup" account on the server. Change the files' permissions to make them readable to the "website-backup" account; you may use ACLs and setfacl for that. Do not use this account for anything else.

  rsync -avz website-backup@myserver.com:/var/www/ /backups/sites/mysite/
  

• Write a script on the server which would dump /var/www/ into an encrypted tarball. Again, this can be done as root (via crontab) or by configuring sudo to not require a password for that script. For example:

  #!/bin/sh
  tar c /var/www/ | gpg -e -r mountainx@example.com
  

  Backup would be done by pulling the entire tarball every time, which might be inefficient with large sites:

  ssh me@myserver.com "sudo /usr/sbin/dump-website" > /backups/sites/mysite.tar.gpg
  

  The password requirement would be removed by editing sudoers:

  me     ALL=(root) NOPASSWD: /usr/sbin/dump-website
  

Answer 2

In the remote host you can run rsync daemon with

uid root

in the /etc/rsyncd.conf file.

This will allow the daemon to use the CAP_DAC_OVERRIDE capability and read the local file system without changing permissions/ownership.

If you need just to make a backup it's a good practice to set rsync to read only mode:

read only = true

Answer 3

If the files are only readable by root you need to have root access to back up the file by reading it from the file system. rsync is reading the files from the file system not from the raw device.

With the exception of dump, dd and similar backups that copy the partition rather that files, backups programs read the files from the file system. Backup utilities will fail to read and backup files for which the permissions of the user id used to run them prevent access. This is the case you are running into.

In most cases you need to trust your backup software enough to allow it to read all your data. This also means you need to trust your backup medium with all your data. In some cases you may want to exclude some files from backup and use an alternate method to backup their contents.

EDIT: As you are archiving the data (copying all permissions) you will need root access on both servers. If you are doing this as a backup you may want to look at a solution like BackupPC which uses rsync to read the files, but stores the files in its own directory tree.