duplicity-talk
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] how might you keep remote backups safe given a hack


From: Ben Escoto
Subject: Re: [Duplicity-talk] how might you keep remote backups safe given a hacked machine?
Date: Sat, 4 Jan 2003 23:04:52 -0800
User-agent: Mutt/1.4i

On Sat, Jan 04, 2003 at 11:41:06PM -0600, Rob Browning wrote:
> While thinking of the security issues, it occurred to me that
> duplicity's current facilities might not provide a way to protect a
> given machine's backups if that machine were compromised (a situation
> where you really *need* your backups :>)

Yes, this is a good point and well worth considering.  The basic
problem is that there seems to be two different access modes that
might be necessary.  Basic backing up only requires write access,
while options like --cleanup and --remove-older-than delete files.

Well there really might be two problems: 1) enabling write only
access, 2) restricting yourself to write-only access most of the time
while still giving yourself full access sometimes.

About problem 1), if in write-only mode you didn't allow yourself any
file modification abilities, then you could get something similar to
write-only mode by hard linking all the new files with a different
user.  You could always just copy them over with a different user, but
this would use twice the space.  I think if you hade root on the
remote machine, it should be safe to chown the existing files, and
then hard link them.  The duplicity user could delete the files, which
wouldn't do anything (since they would still be hard linked), but
could not modify the existing files.

If you wanted a pull mode, why not just back up locally and have the
server get the files?  There may currently be some sanity checking
preventing this, but otherwise you don't need any files in the target
directory for normal backup operations, assuming you use the
--archive-dir option.

About problem 2), maybe there is some clever way of doing this with a
normal ssh account.  Perhaps you could alter your shell to give you a
chroot account, unable to modify any files, but with access to a
special command, which, when supplied with a password, would restore
your normal abilities.


-- 
Ben Escoto

Attachment: pgpkGqimo9CG8.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]