Read only access via /etc/sudoers?

[uhcafigdc]

I want to create a special user that will run a script that creates a backup of the /etc directory using rsync.

In order to let this user read all of /etc, it needs to have some kind of sudo privilege.

If I make an entry in the sudoers file letting the user execute rsync within the /etc directory, then this user can also write to the /etc directory with rsync, which is not good.

Is it possible to give a user read-only access to a directory using the sudoers file? I saw a solution which restricts the user to use only /bin/cat, but I want to use rsync to make the backups.

[Irithori]

This could be done by configuring and running rsync as a daemon.
You would start it with root privileges, hence rsyncd has potentially full access to everywhere.
Then you define a module for the path /etc.
That module would be restricted to read only by configuration.
It will also allow access for "special user".

But imho, there are better ways than this:
If I interpret your post correctly, then your goal is to have a script for systemconfigbackup,
but you want a safeguard against accidentally overwritting /etc. Is that correct?

If yes, then
1) you might want to try one of the well established backup suites like amanda or bacula.
2) and/or use a config management tool like puppet

bacula if a mere backup is enough, and puppet if you want to control and maintain your machines in a programmatical way.

[gettyUp]

For something like that I would just use acls.

Essentially you would use setfacl to set that particular user to have 400 /etc.

You might have to enable the acl mount option depending on the version / distro you are running.

HTH