| 1 |
On 11/14/11 20:54, Grant wrote: |
| 2 |
>> |
| 3 |
>> If you're intent on making a two-stage pull work; you can do it by |
| 4 |
>> creating a 'backups' user on your servers, and then using filesystem |
| 5 |
>> ACLs to grant backups+r to every file/directory you want to back up. |
| 6 |
>> That way, an attacker on the backup server can't decide to peruse the |
| 7 |
>> rest of your stuff. |
| 8 |
> |
| 9 |
> I like that. So use ACLs to grant access to the backups instead of |
| 10 |
> using ownership/permissions so that the ownership/permissions stay |
| 11 |
> intact. I've never used ACLs. Do they "override" |
| 12 |
> ownership/permissions? In other words, if the ACL specifies backups+r |
| 13 |
> to a file owned by root that is chmod 700, "backups" can read it |
| 14 |
> anyway? |
| 15 |
|
| 16 |
Yup, they work like Windows ACLs if you've used those. You can grant one |
| 17 |
user read permission without affecting anything else. |
| 18 |
|
| 19 |
The '700' mode doesn't really make sense anymore after you apply an |
| 20 |
ACL.. the whole permissions-as-bits concept gets highly convoluted[1] |
| 21 |
but if you just want to add read access for one user it's easy. |
| 22 |
|
| 23 |
You can use setfacl to add permissions, and double-check with getfacl |
| 24 |
that they do what you think they do. The examples in `man setfacl` are |
| 25 |
pretty easy to understand. |
| 26 |
|
| 27 |
|
| 28 |
>> The easiest method, though, is to just add a third stage. Either move |
| 29 |
>> the backups on the backup server to another directory after the backup |
| 30 |
>> job completes, or sync/burn/whatever them off-site. In this case the |
| 31 |
>> backup server can't access anything you don't give it, and the |
| 32 |
>> individual servers can't trash their backed-up data. |
| 33 |
> |
| 34 |
> I don't see how that could work in an automated fashion. Could you |
| 35 |
> give me an example? |
| 36 |
|
| 37 |
We do push backups to one server, backup1, every night. Then, every day, |
| 38 |
backup1 syncs to another server, backup2. The individuals servers have |
| 39 |
no access to backup2, and it's physically separate from backup1. |
| 40 |
|
| 41 |
I make physical, removable, backups of backup2 every once in a while, |
| 42 |
but not as often as I should. |
| 43 |
|
| 44 |
|
| 45 |
[1] http://www.suse.de/~agruen/acl/linux-acls/online/ |
Archives