OK, it finally hit me, I can give NOPASSWD access to prove. My question now is, does that open up a security hole? For example, a malicious app running under my name could basically run any perl test with root privileges, right? Or, if they got access to my local account, they could also run a perl script with root privileges.

$PM = "Perl Monk's";
$MCF = "Most Clueless Friar Abbot Bishop Pontiff Deacon Curate Priest";
$nysus = $PM . ' ' . $MCF;
Click here if you love Perl Monks

A Perl process running as root that loads modules from a directory owned by a non-root user is not secure. That user may modify the modules in order to do whatever he wants as root.

sudo can be configured to let some user run a command with fixed arguments as root. Use that feature to allow the user to run just the specific rsync command you need (in order to see the rsync command Net::OpenSSH is running under the hood you can set $Net::OpenSSH::debug=-1).

By default, Net::OpenSSH uses a different name for the control socket used to communicate with the OpenSSH client every time and that means passing a different argument to rsync also every time, but you can fix that argument telling the module the control path location to use with the ctl_path option when the object is constructed. For instance:

my $ctl_path = '/home/user/.myapp/ssh_ctl_path';
unlink $ctl_path; # just in case it has been left behind in a previous
+ run of the script.

my $ssh = Net::OpenSSH->new(...
                            ctl_path => $ctl_path);
$ssh->die_on_error;
system('sudo', 'rsync','-e',"ssh -S $ctl_path",'--blocking-io','-q','-
+-','host:/remote/directory','/local/directory')
    and die "rsync command failed: $?";
[download]

And add an entry on the sudoers file allowing to run as root without password the following command:

rsync -e ssh -S /home/user/.myapp/ssh_ctl_path --blocking-io -q -- hos
+t:/remote/directory /local/directory
[download]

You may need to mangle it in some way as I am not sure of the way sudo handles arguments with spaces... in any case, don't use willcards as it is almost impossible to do so in a secure fashion.

Yeah, looked into that. But apparently giving a user access to rsync is the equivalent of making them root because rsync has so many powerful features.

$PM = "Perl Monk's";
$MCF = "Most Clueless Friar Abbot Bishop Pontiff Deacon Curate Priest";
$nysus = $PM . ' ' . $MCF;
Click here if you love Perl Monks

I don't get this. Why don't you upload as the user who should be owning the files in the end? That way you won't need root and won't need rsync to change the ownership at all.

If I have a directories with a mix of file and group ownerships, ideally, I'd like to preserve them with rsync's archive option. If I upload those files to the server from a backup without the archive option, my file and group ownerships will be lost.

$PM = "Perl Monk's";
$MCF = "Most Clueless Friar Abbot Bishop Pontiff Deacon Curate Priest";
$nysus = $PM . ' ' . $MCF;
Click here if you love Perl Monks

Instead of trying to make rsync/tar/whatever preserve this zoo, I would try to avoid such a mix in the first place.