允许 www-data 在其他用户下执行 rsync (php)

Question

I would like to allow php to perform rsync under an other users's privileges, let's say wwwsync user.

How can I acheive this with sudo configuration? Here is what I have done :

In sudo configutaion (sudo visudo)

www-data www-data-sync=(wwwsync) NOPASSWD: /usr/bin/rsync

This line works as excpected when logged as wwwsync user

rsync -avz -e "ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress ~/some/path/ [remoteuser]@[remotehost]:~/some/path/

But this line executed from php using shell_exec() does not work

sudo -u wwwsync rsync -avz -e "ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress ~/some/path/ [remoteuser]@[remotehost]:~/some/path/

Is it the right way to execute rsync under wwwsync user? Is the sudo configuration set properly?

Answer 1

I finally found out how to make it work.

sudoer configuration was wrong. Alias must be ALL, not a random alias.Also, "rsync" must have "-H" option set so the command sets the target home folder as home folder while command is executed.

In sudo configuration (sudo visudo)

www-data ALL=(wwwsync) NOPASSWD: /usr/bin/rsync

This line executed from php using shell_exec() does work (with ssh key properly set for user wwwsync and remote host)

sudo -H -u wwwsync rsync -avz -e "ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress /some/path/ [remoteuser]@[remotehost]:~/some/path/

Note : wwwsync rigths / perms must be carfully set so www-data won't synchronize unwanted folders to remote host.

This finally allows me to perform safe ressource synchronisation between a master server and slave servers : Safe way to synchronize ressources between servers through php / linux

If that could help...