1 |
>> >> Isn't that a gaping security hole? I think this amounts to granting |
2 |
>> >> the backup server root read access (and write access if you want to |
3 |
>> >> restore) on each client? |
4 |
>> > |
5 |
>> > How can you backup system files without root read access? You are |
6 |
>> > granting this to s specific user, one without a login shell, on the |
7 |
>> > server. |
8 |
>> |
9 |
>> If the backup server is infiltrated, the infiltrator would have root |
10 |
>> read access to each of the clients, correct? If the clients push to |
11 |
>> the backup server instead, their access on the server can be |
12 |
>> restricted to the backup directory. |
13 |
> |
14 |
> Yes, but with push you have to secure each machine whereas with pull |
15 |
> backups it's only the server to secure. And you'd still need to grant |
16 |
> access to the server from the clients, which could be escalated. With |
17 |
> backuppc, the server does not need to be accessible from the Internet at |
18 |
> all, all requests are outgoing. If the server machine serves other |
19 |
> purposes and needs to be net-accessible, run the backup server in a |
20 |
> chroot or VM. |
21 |
|
22 |
I'm planning to rsync --fake-super the important files from each |
23 |
client to a particular folder on the backup server as an unprivileged |
24 |
user and then have the backup server run rdiff-backup locally to |
25 |
maintain a history of those files. authorized_keys on the server |
26 |
would restrict the clients to a particular rsync command in a |
27 |
particular directory. That way if the backup server is infiltrated, |
28 |
the clients aren't exposed in any way, and if a client is infiltrated, |
29 |
the only extra exposure is the rsync'ed copy of the files on the |
30 |
server which isn't a real vulnerability because of the rdiff-backup |
31 |
history. I'd also like to have a secondary backup server pull those |
32 |
same rsync'ed files from the primary backup server and run its own |
33 |
rdiff-backup repository on them. That way all copies of any system's |
34 |
backups are never made vulnerable by the break-in of a single system. |
35 |
|
36 |
Doesn't that compare favorably to a layout like backuppc's? |
37 |
|
38 |
- Grant |