Restricting rsync
Do you have a Unix system you want to back up? Let’s say you want to go with an extremely quick and easy backup, so you choose the venerable rsync, copied via SSH.
In this age of state-backed hacking threats and ransomware attacks, you have also decided to be extra cautious. Your backup should only be able to read the backed-up files, and only run rsync.
Those clever rsync guys
They already thought of this, and wrote a script rrsync meant for this very purpose!
If you are on Debian/Ubuntu, you can copy it from: /usr/share/doc/rsync/scripts/rrsync.gz. Alternately, you can download it directly from the source: rrsync on samba.org. It is a humble Perl script, and it needs nothing other than rsync.
Set it up
The script includes within it examples for how to set it up.
However for completeness here is an example SSH authorized_keys entry:
from="150.30.20.10",command="$HOME/bin/rrsync -ro ~",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWrIQ5mPmQRt0U8qA2VSTHwx9ZBKQXHFT02fiqufK9emk++NIMBGP1mxmpHox0kb59AxQT1iigwesZU94cZj/5QOPtPi3ScjEfFT7luMqSEkCIhthBzZrLxYbZudOCqweDnZnoWRK55WxwisYdhydKw5+F4ffQVBSZYsfX3YACF21LVms7aDO0ioiiJ3fEOOMHOlN6Kpn4KrYpOjxB0RmBBtDAOwCS4WbZ3II6YoEggBEnzpYNl2mw2EAA9dEDqE952gMdgRXDrP7sA2jpRHlOE+P8dpy+DqIhc5CKJXK/9VWGqaZD00zUfjX42bzVhEN1Pn6I/uLTIx79RhnOGukh root@your-backup-system