Has anyone suggested using setuid?
Why don't you write a program to do the backup. Set ownership root, group to "backup", chmod 770 and then setuid on the program
and you can remote login as the "backup" group and execute the program with root privileges to do just the things you put in the
code. If this isn't acceptable to the "security team" then you'd better also disable the password program.
Just a thought.
Pete
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html