I have a home network with multiple windows computers protected using the firewall on the router. i have a mostly working backup system using rsync from internal client machines ( some are Windows) to a backup machine.

What I propose here is bad security, (although the firewall is totally blocked) but I want functionality not security.

I am using cwrsync, a free rsync utility employing a bare bones cygwin installation containing only the necessary components to run an rsync backup. On one of the Windows clients, the scheduler runs rsync periodically and the backups are made in each users directory.

I set up RSA keys on the Windows machines and the machine to which the backups would be done and arranged for each backups to be placed in a user home directory allocated for each machine so that passwords are not required. Rsync runs and transfers files automatically. Great so far!

It then seemed like a good idea to be able to recover any particular file back to a client machine using a web interface.

By adding a web server to the backup machine and arranging rsync to store the backups in each user's directory in the web directory /home/user/public_html a browser on any client machine can see and access backup files - click on a file and download a backup copy of the file.

This works except for one problem. I need each user directory to be group owned by www-data.

The public_html directory has to be accessible by the web server. If you change the group or ownership to www-data then a browser can see and download files but rsync then demands a password. If you change the ownership and group to the user then rsync works but the web server can't see the files.

I have tried adding Allowgroups www-data to /etc/ssh/ssh_config
and that doesn't work. I tried creating a directory owned by www-data - nope.

I need to somehow override the ssh insistence that the ownership of the backup directory must be that of the user or get it to accept a group ownership from www-data. Is there a way to do this.

Alternatively is there a way to get rsync to backup files without a password and thereby not use ssh?

No, if you use /home/<user>/public_html files are accessible by the web browser if the owner of the file is <user>:<user>. (<user> is the actual name of the user)

You should have enable the option to serve /home/<user>/public_html in Apache.
The backup process should write the backup with the credentials of <user>. Permissions must be 644 or more relaxed.
If you are still not able to serve from public_html, check the Apache docs. My (Debian) system does it so I know it is possible.

If your backup process cannot copy as <user>, you should change the ownership after the backup. That can be done using ssh by simply issuing the chown command in the ssh call. However, you should chown as root and that requires root access over ssh. That is something which is discouraged. I have not found a better solution yet.

jlinkels

1 members found this post helpful.

You were right about Apache not needing www-data group memberships and only needing the user ownership and membership.

The key to getting it to work was that the permissions of the directory have to include executable.
To me that is odd since I only need to read the directory not execute anything in it. Oh well - good old unix.
thanks for you suggestion about where to be directing effort.

Good that it works. Executable permissions on a directory allow retrieving the directory listing.

jlinkels

Yes, the x bit must be set on a directory to be able to look into it (more specifically to traverse it). It is actually not called the execute bit on directories (directories cannot be executed!) but usually the search bit, less frequently the traversal or recurse bit - but still represented by x, so many people wrongly call it the execute bit.