NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Readynas rsync failing on .ssh folder
Hi,
I am backing up a Readynas 204 to a Readynas 428 using rsync over SSH. I was previously pushing data from the 204 --> 428, but my institution blocked port 22, so now I have to use the 428 to pull data from the 204. I am getting a failure backing the ".ssh" folder in one of the home folders.
Error:
rsync: opendir "/data/home/username/.ssh" failed: Permission denied (13)
Any idea what the .ssh folder is and why it can't be backed up?
The user that is failing is a cloud user. I had to create a new local user account on the 204, since it seems cloud users can't do rsync over ssh. I'm also not quite sure how the local user I created is able to back up all the home folders. That local user shouldn't really have access to other local users folders...
Thanks!
3 Replies
SirNas wrote:Any idea what the .ssh folder is and why it can't be backed up?
This is the folder where user specific stuff, including certificates, and so on are stored by the sshd and by ssh - and these .ssh folders are locked down by default for good reasons - check the ownership and the U**x protection mask.
SirNas wrote:The user that is failing is a cloud user. I had to create a new local user account on the 204, since it seems cloud users can't do rsync over ssh.
The cloud users have a special meaning, and are in place more for the mapping to local UID and GID. A local user intended to be used as a backup account should have no other usage, and requires access to any volumes, folders and files of course.
SirNas wrote:That local user shouldn't really have access to other local users folders...
It's not a user account requiring access to ftp, smb, ... but of course it must have the privileges tp read the volumes/folders/files you intend to backup. Either way, this is an account not to be used for the daily work with the NAS.
I'm confused about two things.
1. How is it working at all? That local user shouldn't have access to all the other users files. I didn't give that user access.
2. Why is it failing on that folder now that I am pulling instead of pushing? Is pushing from the NAS to do backups of the home folders somehow different?
Show the config of the backup job (screenshots).
If the intention is to backup all home folders the user must (of course....) have at least read access to all users home folders on the remote (source) system.
The rsync process on that remote system does run under that user the UID and GID and probably secondary groups. When I look on the masks andthe ACLs on files and folders in the users folder, I get this:
root@RN516:~# getfacl /data/home/myusername/*
# file: data/home/myusername/VDO_1269.avi
# owner: myusername
# group: users
user::rwx
user:myusername:rwx
group::r-x
group:users:r-x
mask::rwx
other::r-x....so not even ACLs in place...
root@RN516:~# ls -als /data/home/myusername/VDO_1269.avi
167964 -rwxrwxr-x+ 1 myusername users 171994108 Aug 05 2020 /data/home/myusername/VDO_1269.aviSo you see - a process run by a normal user created by the ReayNAS Web UI defaults to the user group users - and it has access to all, well, almost all files.
When looking into a typical .ssh - I show the /root/.ssh as an example (similar for other users in thier home folder) - you find that the .ssh and it's content has special protection masks in place, e.g. to "protect" the private key:
root@RN516:~# ls -als /root/
total 28
0 drwx------ 1 root root 88 Mar 3 22:22 .
4 drwxr-xr-x 1 root root 296 Mar 3 22:28 ..
12 -rw------- 1 root root 9305 Jul 17 20:57 .bash_history
4 -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
0 drwxr-xr-x 1 root root 38 Sep 26 2015 .forever
4 -rw-r--r-- 1 root root 140 Nov 19 2007 .profile
4 -rw------- 1 root root 1024 May 9 2019 .rnd
0 drwx------ 1 root root 32 Jun 15 2013 .ssh
root@RN516:~# ls -als /root/.ssh
total 8
0 drwx------ 1 root root 32 Jun 15 2013 .
0 drwx------ 1 root root 88 Mar 3 22:22 ..
4 -rw------- 1 root root 1679 Jun 15 2013 id_rsa
4 -rw-r--r-- 1 root root 399 Jun 15 2013 id_rsa.pub
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
