Website of latouche

[home] [Computers and networks] [tips]

Use rdiff-backup with sudo

Warning: rdiff-backup-2.0.x and rdiff-backup-1.1.x are incompatible

Why ?

rdiff-backup is a tool that creates incremental backups using ssh to connect to remote hosts.

For security reasons, I run rdiff-backup as a none-privileged user. Because some files can only be read by root (think of /etc/shadow for exemple), I use sudo to get the needed privilegies.

I also disallow root logins in ssd_config, so ssh connections can't be done using the root account and sudo is needed

Create the non-privileged user

On the backup server: On each client:

Run rdiff-backup

The classic way to use rdiff-backup is:

rdiff-backup client::/remote/dir /local/dir
Because we want to use sudo, we need to tweak the remote shema which is by default ssh -C %s rdiff-backup --server, where %s is remplaced the the client hostname. Just add add a sudo to the previous command:
rdiff-backup --remote-schema 'ssh -C %s nice sudo /usr/bin/rdiff-backup --server --restrict-read-only /'  client::/etc /srv/backup/test
--restrict-read-only / is a security to forbid writing on the client.

On the server, the user backup will connect to the client via ssh, authentificate itself with the rsa key and launch rdiff-backup in server mode with root privileges. Then, it will backup /etc to /srv/backup/test.

To backup the server, you can use an other remote schema that don't use ssh (remove the ssh overhead and CPU resources used for ssh compression) :

rdiff-backup --remote-schema '%s' 'nice sudo /usr/bin/rdiff-backup --server --restrict-read-only /'::/etc /srv/backup/test
rdiff-backup --remote-schema 'nice sudo /usr/bin/rdiff-backup --server --restrict-read-only /' localhost::/etc /srv/backup/test won't work because there is no %s

You can now create you own script (you can have a look to mine or download it) on the server to mount the backup partition, backup each client to its own directory and umount the partition. Because backups can fail or last a really long time, don't forget to add a lock file to avoid multiple backups at the same time.


You can exclude/include directories using --exclude and --include. it's even possible to exclude/include from a file with --exclude-globbing-filelist and --include-globbing-filelist.

If you want to backup only part of /, you can use the following syntax (the order is important, include then exclude):

rdiff-backup --include-globbing-filelist $file --exclude '*' ....
where $file points to a file with one directory per line.


Last update: 2008/02/20

2007/11/18: Initial creation
2008/02/20: Better user creation (use -m option)