Re: [rdiff-backup-users] Clarification of --restrict-update-only

[Chris G]

On Wed, Feb 04, 2009 at 01:52:32PM -0500, John covici wrote:
> on Wednesday 02/04/2009 Chris G(address@hidden) wrote
>  > I'm using rdiff-backup to backup files across a LAN.  The destination
>  > machine has a dedicated backup account which has passwordless ssh
>  > login set up for client machines that want to do backups.
>  > 
>  > To make things a bit more secure I have added the following to my
>  > sshd_config on the destination/backup machine:-
>  > 
>  >     Match User=bak
>  >     ForceCommand rdiff-backup --server
>  > 
>  > So far so good.  I can backup as required but it's not possible to
>  > login to the bak account using ssh.  I'd like to lock it down a bit
>  > further by using the --restrict-update-only option so that if an
>  > intruder did gain access to a client machine they wouldn't be able to
>  > remove anything useful from the backups by deleting or overwriting.
>  > 
>  > However I'm not quite clear how --restrict-update-only works, can I
>  > just do something like:-
>  > 
>  >     Match User=bak
>  >     ForceCommand rdiff-backup --server --restrict-update-only /
>  > 
>  > and thus prevent anything other than updates for *all* backups?
>  > 
>
> Why don't you just have in your sshd config 
> PermitRootLogin without-password
> 
> and have a public key of your client in the
> /root/.ssh/authorized_hosts on the server.  I don't think the
> restrict-update is very secure anyway, but this works well.
> 
That would permit exactly what I'm trying to avoid wouldn't it?

If (heaven forbid) an intruder got root access to my machine (which is
the backup client) then they would have free access to the backup
machine as well.  Thus a malicious intruder would be able to delete
everything on my machine *and* on the backup machine as well.

What I'm trying to do is have a backup which isn't trivially
accessible from the client.

-- 
Chris Green