Securing Rsync Daemon Over SSH with NON-root user

Unfortunately, due to hosting provider, I am unable to access the rsync daemon as root and secure it accordingly. Instead, in order to take regular remote backups from the server, I have to access the rsync daemon as a non-root user that has limited sudo privileges via the /etc/sudoers file. I have managed to get this to work and can successfully take backups, using the solution below (scroll down). **Additional Info Per Request** a.) non-root-username has this sudo privilege via /etc/sudoers: non-root-username ALL=NOPASSWD: /usr/bin/rsync b.) The goal is to use a non-root user to take secure remote backups of my system directory called /backups (using encrypted ssh connection and rysncd instead of rsync protocol to save on resources) c.) a single directory called /backups (which can successfully do with the solution below, I just want to make sure it is as secure as possible) **Question:** How do I make this non-root-user rsync daemon connection more secure? **Issues** Because sudo rsync does not save environment variables, I have a variety of issues: 1.) In the /etc/rsyncd.conf the hosts allow = function no longer works, server-side rsync.log, shows: rsync allowed access on module data from UNKNOWN (0.0.0.0) rsync on data/ from root@UNKNOWN (0.0.0.0) building file list 2.) Via /etc/ssh/sshd_config and/or /home/non-root-user/.ssh/authorized_keys I am unable to use ForceCommand, command=rsync --server --daemon ., respectively, for the actual rsync command. Any attempt to do so results in: rsync: did not see server greeting rsync error: error starting client-server protocol (code 5) at main.c(1675) [Receiver=3.1.3] 2a.) I currently have these values restricting my non-root-backup-user in my /etc/ssh/sshd_config... any additional recommendations? Match User non-root-username X11Forwarding no AllowTcpForwarding no PermitTTY no # ForceCommand /usr/bin/sudo /usr/bin/rsync <-- will not work # ForceCommand sudo rsync <-- will not work # ForceCommand rsync <-- will not work **My current solution:** Using: `rsync -a -e "ssh -l non-root-username" --rsync-path="sudo rsync" xx.xx.xx.xx::data /local/path` **Update:** The edit the above command caused @ERROR: auth failed on module data, therefore I had to change the auth user in the above /etc/rsyncd.conf to auth users: root and the same for /etc/rsyncd.conf root@admin:~# cat /etc/rsyncd.conf # Global configuration of the rsync service pid file = /var/run/rsyncd.pid #hosts allow = 123.123.123.123 <-- hashed out log file = /var/log/rsync.log # Username and group for working with backups uid = root gid = root # Don't allow to modify the source files read only = yes # Data source information [data] use chroot = false #strict modes = false <-- (defaults to true) path = /backups list = yes auth users = root secrets file = /etc/rsyncd.passwd In my /etc/rsyncd.passwd file, I have: root@admin:~# cat /etc/rsyncd.passwd root:password I have these permissions for /etc/rsyncd.conf: root@admin:~# stat /etc/rsyncd.conf File: /etc/rsyncd.conf Size: 471 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 144028 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 1001/root) Access: 2022-05-21 13:38:46.797769245 +0800 Modify: 2022-05-21 13:38:42.641735637 +0800 Change: 2022-05-21 13:55:52.384894170 +0800 And, I have these permissions for /etc/rsyncd.passwd root@admin:~# stat /etc/rsyncd.passwd File: /etc/rsyncd.passwd Size: 31 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 144040 Links: 1 Access: (0640/-rwxrwxr-x) Uid: ( 0/ root) Gid: ( 1001/root) Access: 2022-05-21 13:38:06.989448597 +0800 Modify: 2022-05-21 13:37:37.473212811 +0800 Change: 2022-05-21 13:37:37.473212811 +0800 Any tips?