| 1 |
>> >> Isn't that a gaping security hole? I think this amounts to granting |
| 2 |
>> >> the backup server root read access (and write access if you want to |
| 3 |
>> >> restore) on each client? |
| 4 |
>> > |
| 5 |
>> > How can you backup system files without root read access? You are |
| 6 |
>> > granting this to s specific user, one without a login shell, on the |
| 7 |
>> > server. |
| 8 |
>> |
| 9 |
>> If the backup server is infiltrated, the infiltrator would have root |
| 10 |
>> read access to each of the clients, correct? If the clients push to |
| 11 |
>> the backup server instead, their access on the server can be |
| 12 |
>> restricted to the backup directory. |
| 13 |
> |
| 14 |
> Yes, but with push you have to secure each machine whereas with pull |
| 15 |
> backups it's only the server to secure. And you'd still need to grant |
| 16 |
> access to the server from the clients, which could be escalated. With |
| 17 |
> backuppc, the server does not need to be accessible from the Internet at |
| 18 |
> all, all requests are outgoing. If the server machine serves other |
| 19 |
> purposes and needs to be net-accessible, run the backup server in a |
| 20 |
> chroot or VM. |
| 21 |
|
| 22 |
I'm planning to rsync --fake-super the important files from each |
| 23 |
client to a particular folder on the backup server as an unprivileged |
| 24 |
user and then have the backup server run rdiff-backup locally to |
| 25 |
maintain a history of those files. authorized_keys on the server |
| 26 |
would restrict the clients to a particular rsync command in a |
| 27 |
particular directory. That way if the backup server is infiltrated, |
| 28 |
the clients aren't exposed in any way, and if a client is infiltrated, |
| 29 |
the only extra exposure is the rsync'ed copy of the files on the |
| 30 |
server which isn't a real vulnerability because of the rdiff-backup |
| 31 |
history. I'd also like to have a secondary backup server pull those |
| 32 |
same rsync'ed files from the primary backup server and run its own |
| 33 |
rdiff-backup repository on them. That way all copies of any system's |
| 34 |
backups are never made vulnerable by the break-in of a single system. |
| 35 |
|
| 36 |
Doesn't that compare favorably to a layout like backuppc's? |
| 37 |
|
| 38 |
- Grant |
Archives