[Duplicity-talk] security issues

[Rob Browning]

I'm trying to think through the security issues involved when using
duplicity to back up to a remote machine via ssh or scp.  Ideally I'd
like to provide very limited access on the target machine, and such a
facility might be really helpful when trying to convince someone else
to host your backups.

Right now, if duplicity was using just ssh (rather than scp) it seems
like you might be able to use the ssh key "command=foo" facility to
good effect.  However I'm not sure that helps when scp is involved.

One alternative might be to add a new transport, say agent:, and with
a target-side command, duplicity-agent, that was specifically designed
for use via "command=/usr/bin/duplicity-agent".  duplicity-agent would
be very careful to only allow the operations that duplicity requires
for backup and restore operations, to use chroot if appropriate, to
sterilize its environment, etc.

duplicity-agent might have a config file, or perhaps it would just
accept command line arguments:

  command="duplicity-agent --restrict-to-dir /backup/dup/"

etc.

Of course if designed appropriately, duplicity-agent could probably
also be used in other cases, even when ssh wasn't involved, i.e. via
normal rsh methods when you're on a secure VPN etc.

Thoughts?

-- 
Rob Browning
rlb @defaultvalue.org, @linuxdevel.com, and @debian.org
Previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592  F9A0 25C8 D377 8C7E 73A4