Am 13.11.2011 19:03, schrieb Grant: >>>> And if I pull, none of my backed-up systems are secure because anyone >>>> who breaks into the backup server has root read privileges on every >>>> backed-up system and will thereby "gain full root privileges quickly." >>> >>> IMO that depends on whether you also backup the authentication-related >>> files or not. Exclude them from backup, ensure different root passwords >>> for all boxes, and now you can limit the infiltration. >> >> If you're pulling to the backup server, that backup server has to be >> able to log in to and read all files on the other servers. Including >> e.g. your swap partition and device files. > > What if I have each system save a copy of everything to be backed up > from its own filesystem in a separate directory and change the > ownership of everything in that directory so it can be read by an > unprivileged backup user? Then I could have the backup server pull > that copy from each system without giving it root access to each > system. Can I somehow have the correct ownerships for the backup > saved in a separate file for use during a restore? > > - Grant >
You could just as well use an NFS share with no_root_squash. It is really more a question of finding the right combination of tools to ensure proper separation of concern for server and client. In fact, I think we are intermixing three distinct problems: 1. (Possible) limitations of rdiff-backup with regard to untrusted backup servers or clients. 2. The purely technical question which file transfer protocols protect against write access from backup server to backup client and backup client to older backups on the server. 3. The more or less organisational question what level of protection backups need and how fast security breaks have to be detected. I think push vs. pull is just a secondary concern with regard to the second question and has practically no relevance to the third one. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
