| 1 |
>> I'm planning to rsync --fake-super the important files from each |
| 2 |
>> client to a particular folder on the backup server as an unprivileged |
| 3 |
>> user and then have the backup server run rdiff-backup locally to |
| 4 |
>> maintain a history of those files. |
| 5 |
> |
| 6 |
> How does that work with files that aren't world-readable? |
| 7 |
|
| 8 |
The client can run rsync as root, the unprivileged user would be |
| 9 |
writing on the backup server. --fake-super writes all original |
| 10 |
ownership/permissions to xattrs in the files. |
| 11 |
|
| 12 |
>> authorized_keys on the server |
| 13 |
>> would restrict the clients to a particular rsync command in a |
| 14 |
>> particular directory. That way if the backup server is infiltrated, |
| 15 |
>> the clients aren't exposed in any way, and if a client is infiltrated, |
| 16 |
>> the only extra exposure is the rsync'ed copy of the files on the |
| 17 |
>> server which isn't a real vulnerability because of the rdiff-backup |
| 18 |
>> history. I'd also like to have a secondary backup server pull those |
| 19 |
>> same rsync'ed files from the primary backup server and run its own |
| 20 |
>> rdiff-backup repository on them. That way all copies of any system's |
| 21 |
>> backups are never made vulnerable by the break-in of a single system. |
| 22 |
>> |
| 23 |
>> Doesn't that compare favorably to a layout like backuppc's? |
| 24 |
> |
| 25 |
> It's a lot more work and doesn't cover everything. One of the advantages |
| 26 |
> of a pull system like BackupPC is that the only work needed on the client |
| 27 |
> is adding the backuppc user's key to authorized keys. Everything else is |
| 28 |
> done by the server. If the server cannot contact the client, or the |
| 29 |
> connection is broken mid-backup, it tries again. It also gives a single |
| 30 |
> point of configuration. If you want to change the backup plan fr all |
| 31 |
> machines, you make one change on one computer. |
| 32 |
|
| 33 |
If you have a crazy number of machines to back up, I could see |
| 34 |
sacrificing some security for convenience. Still I would think you |
| 35 |
could use something like puppet to have the best of both worlds. I |
| 36 |
have 5 machines and I think I can get it down to 3. |
| 37 |
|
| 38 |
> It works well, save work and minimises disk space usage, especially with |
| 39 |
> multiple similar clients. Preventing infiltration is simple as you don't |
| 40 |
> need to open it to the Internet at all, the backup server can be |
| 41 |
> completely stealthed and still do its job. |
| 42 |
|
| 43 |
Obviously the backup server has to be able to make outbound |
| 44 |
connections in order to pull so I think you're saying it could drop |
| 45 |
inbound connections, but then how could you talk to it? Do you mean a |
| 46 |
local backup server? |
| 47 |
|
| 48 |
- Grant |
Archives