Like the title says.

This is the last entry in my sudoers file (IP address redacted to protect the innocent):


backups ALL=(ALL) NOPASSWD:/usr/bin/rsync --rsync-path\='sudo /usr/bin/rsync' --verbose --archive --one-file-system -e 'ssh -o StrictHostKeyChecking\=no -o UserKnownHostsFile=/dev/null' --link-dest\=~/system_backup/data --hard-links --human-readable --inplace --progress --delete-excluded --numeric-ids --exclude-from\=excludes.txt javaguy@MY.PC.IP.ADDRESS\:/ /home/backups/system_backup/daily/current

I made sure to put it on the last line of sudoers because I've already gone through the pain of learning the hard way that if I put an entry in the middle it can get overridden by a later entry.

So then user backups runs my backup script, but it asks for a password when it gets to this line:

sudo /usr/bin/rsync --rsync-path='sudo /usr/bin/rsync' --verbose --archive --one-file-system -e 'ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' --link-dest=~/system_backup/data --hard-links --human-readable --inplace --progress --delete-excluded --numeric-ids --exclude-from=excludes.txt javaguy@MY.PC.IP.ADDRESS:/ /home/backups/system_backup/daily/current

Any idea what I'm doing wrong?


Thanks,
Sam

That's pretty crazy for a sudoers entry, why not put all that in a bash script and let them call that script?

It's big, but it is a one-line command.

Since it's running as root I want to lock down exactly the rsync command the backups user is allowed to use, otherwise I'd be giving carte blanche to overwrite any file in the system using rsync.

if they can't cahnge the script file that contains all of that, then it's no less secure, and vastly easier to troubleshoot the sudo part of the equation.

When I enter a similar command I still get asked for the password. When I put the command in a script and put the script name in sudoers I still get asked for the password and it won't let me execute the command in the script. Example:

username hostname (root) NOPASSWD: /bin/chown -R /full/path/name/*

When I enter ":x" visudo gives me a syntax error. When I created a script "chown_tree" and put this in using visudo, I got no errors but when the user executes: sudo chown_tree it prompts for the password then reports insufficient permission to execute the command. How do I trouble shoot this problem?

What is the sudo in your command line to be run? That might be prompting for for the password within the command line itself. Also does backups need to run sudo as all users, personal preference I would change ALL=(ALL) to ALL=(root) or ALL=(joeuser).

Wonder if automake would create a more manageable way to run this?