If you are rolling your own backup shell script on your Ubuntu Linux box, chances are you might want to use tar or perhaps rsync somewhere in that script. For this example, let’s say you’ve chosen to use tar.
At some point, you will probably want to use cron or some other mechanism to automate your backup. Furthermore, if you want to coordinate the backup of several computers from one central computer, you will probably end up running the backup by making an ssh connection from the central computer to each backup target computer. In that case, the user that is running the backup will probably not be root (unless you allow root logins on your ssh servers) and may therefore have limited privileges.
If that’s the case, the user will not be able to backup some files with tar unless you use sudo tar. The problem with this is that sudo will prompt you for a password. If you want to prevent this prompt so that you can totally automate the backup over ssh, you’ll need to do two things.
First, you’ll need to use ssh private key authentication where the private key has no password. There are lots of tutorials for how to do this. If you’re nervous about using a no-password private key, you could use a key ring mechanism instead. That’s beyond the scope of this article so just google it.
Second (and this is the main point of this article) you’ll need to add a NOPASSWD line for tar in your sudoers file. Using visudo, add the following line to your sudoers file (replace mybackupusername with the name of your backup user):
mybackupusername ALL = NOPASSWD: /bin/tar
That line tells sudo that the backup user can run sudo tar without prompting for a password. If you’re paranoid, you can fine-tune that line so it only allows certain options (switches) for tar (you might want to prevent the -x switch). For example:
mybackupusername ALL = NOPASSWD: /bin/tar -czf * -C *
Here’s another, slightly different example:
mybackupusername ALL = NOPASSWD: /bin/tar -c*
If this tip helped you, please leave me a comment or send me an email!
