SSH public keys can be added to ~/.ssh/authorized_keys on a typical system to allow the holder of the private key to access the system. Sometimes however you might want to restrict the access a particular key has.
In my case, I wanted my CI system to be able to push my static site after the build was complete. I didn't want the CI system to have unrestricted access to my server via private key. After a little bit of research I found rrsync.
The rsync package has a helper script that facilitates restricting rsync
It can be extracted in Ubuntu from /usr/share/:
gunzip --to-stdout /usr/share/doc/rsync/scripts/rrsync.gz > ~/bin/rrsync
The restricted rsync command takes a single argument, the sub directory to restrict the user's actions.
The -ro flag can be used to allow only read-only rsync commands.
command="$HOME/bin/rrsync -ro /path/to/subdir/"