ZFS pull backup with minimal permissions

remote_syncoid_as_unprivilleged_user_README.md

Usage

1. On system that should be backed up

create a user called zfsbackup

useradd zfsbackup --create-home --system
mkdir -p /home/zfsbackup/{.ssh,.local/bin}
chown zfsbackup:zfsbackup /home/zfsbackup --recursive

add a restricted list of commands allowed by this user

echo 'restrict,command="restrict_commands.sh" ssh-ed25519 ...' > /home/zfsbackup/.ssh/authorized_keys

place the restrict_commands.sh in /home/zfsbackup/.local/bin

if the script errors out because of missing the ts command, install the moreutils package

sudo apt install moreutils

grant permissions on the tank/dataset (match to the name of your zfs pool and dataset)

zfs allow -u zfsbackup send,hold tank/dataset

2. on backup server

run cronjob with:

syncoid --no-sync-snap --no-privilege-elevation --sendoptions=Rw zfsbackup@target:tank/dataset tank/dataset

restrict_commands.sh

#!/bin/bash
export PATH=$PATH:$HOME/.local/bin:/usr/sbin

_RE_DATASET=$'[\"\']+[a-z0-9/_]+[\"\']+'
_RE_SNAPSHOT=$'[\"\']+[a-z0-9/_]+[\"\']*@[\"\']*[a-z0-9/_:-]+[\"\']+'
_RE_SIZE=$'[0-9]+[kMG]?'

_WHITELIST=(
   -e "exit"
   -e "echo -n"
   -e "zpool get -o value -H feature@extensible_dataset $_RE_DATASET"
   -e "zfs get -H syncoid:sync $_RE_DATASET"
   -e "zfs get -Hpd 1 -t snapshot guid,creation $_RE_DATASET"
   -e " *zfs send -R -w -nvP $_RE_SNAPSHOT"
   -e " *zfs send -R -w +$_RE_SNAPSHOT \| +lzop +\| mbuffer +-q -s $_RE_SIZE -m $_RE_SIZE 2>/dev/null"
   -e " *zfs send -R -w -nvP +-I $_RE_SNAPSHOT $_RE_SNAPSHOT"
   -e " *zfs send -R -w +-I $_RE_SNAPSHOT $_RE_SNAPSHOT \| lzop +\| mbuffer +-q -s $_RE_SIZE -m $_RE_SIZE 2>/dev/null"
   -e "command -v (lzop|mbuffer)"
)

## LOG non-whitelisted commands, execute whitelisted
echo "$SSH_ORIGINAL_COMMAND" |\
tee >(egrep -x -v "${_WHITELIST[@]}" \
    | ts "non-whitelisted command issued: (client $SSH_CLIENT)" \
    | logger -p local0.crit \
) |\
egrep -x "${_WHITELIST[@]}" | bash