rsync --rsync-path: Running Remote rsync as sudo
rsync --rsync-path tells rsync what command to run on the remote side, most often "sudo rsync" to gain write access to protected directories.
When the deploy user cannot write to /var/www or set ownership, running the remote rsync under sudo is the clean fix, given a passwordless sudoers rule.
What it does
--rsync-path=COMMAND overrides the program rsync invokes on the remote host (default is "rsync"). Setting it to "sudo rsync" runs the receiving side with elevated privileges, which lets it write to root-owned directories and honor -o / --chown. This only affects the remote side; the local side runs as you.
Options
| Value | What it does |
|---|---|
| --rsync-path="sudo rsync" | Run the remote rsync under sudo |
| --rsync-path="/usr/local/bin/rsync" | Point at a non-default rsync path |
| --rsync-path="sudo /usr/bin/rsync" | Explicit binary path with sudo |
| --rsync-path="nice rsync" | Wrap the remote rsync (e.g. nice/ionice) |
Common usage
# Deploy into a root-owned path via sudo on the remote
rsync -av --rsync-path="sudo rsync" dist/ deploy@host:/var/www/app/
# Combine with ownership control
rsync -av --rsync-path="sudo rsync" --chown=www-data:www-data \
dist/ deploy@host:/var/www/app/Remote sudoers setup
# /etc/sudoers.d/deploy on the server
deploy ALL=(root) NOPASSWD: /usr/bin/rsyncIn CI
For non-interactive deploys, the sudoers entry must be NOPASSWD and scoped to the rsync binary path. Without it, sudo tries to read a password from a TTY that does not exist and the job hangs or fails with "sudo: a password is required".
Common errors in CI
sudo: a terminal is required to read the password; either use the -S option ... or "sudo: no tty present and no askpass program specified" means there is no passwordless sudo rule. Add the NOPASSWD sudoers entry. If you see "rsync: command not found" from sudo, the sudoers path does not match the real rsync location (check "which rsync" on the server).