rdiff-backup-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] Clarification of --restrict-update-only

From: Chris G
Subject: Re: [rdiff-backup-users] Clarification of --restrict-update-only
Date: Wed, 4 Feb 2009 20:56:21 +0000
User-agent: Mutt/1.5.17 (2007-11-01) 
On Wed, Feb 04, 2009 at 03:33:05PM -0500, John covici wrote:
> on Wednesday 02/04/2009 Chris G(address@hidden) wrote
>  > On Wed, Feb 04, 2009 at 01:52:32PM -0500, John covici wrote:
>  > > on Wednesday 02/04/2009 Chris G(address@hidden) wrote
>  > >  > I'm using rdiff-backup to backup files across a LAN.  The destination
>  > >  > machine has a dedicated backup account which has passwordless ssh
>  > >  > login set up for client machines that want to do backups.
>  > >  > 
>  > >  > To make things a bit more secure I have added the following to my
>  > >  > sshd_config on the destination/backup machine:-
>  > >  > 
>  > >  >     Match User=bak
>  > >  >     ForceCommand rdiff-backup --server
>  > >  > 
>  > >  > So far so good.  I can backup as required but it's not possible to
>  > >  > login to the bak account using ssh.  I'd like to lock it down a bit
>  > >  > further by using the --restrict-update-only option so that if an
>  > >  > intruder did gain access to a client machine they wouldn't be able to
>  > >  > remove anything useful from the backups by deleting or overwriting.
>  > >  > 
>  > >  > However I'm not quite clear how --restrict-update-only works, can I
>  > >  > just do something like:-
>  > >  > 
>  > >  >     Match User=bak
>  > >  >     ForceCommand rdiff-backup --server --restrict-update-only /
>  > >  > 
>  > >  > and thus prevent anything other than updates for *all* backups?
>  > >  > 
>  > >
>  > > Why don't you just have in your sshd config 
>  > > PermitRootLogin without-password
>  > > 
>  > > and have a public key of your client in the
>  > > /root/.ssh/authorized_hosts on the server.  I don't think the
>  > > restrict-update is very secure anyway, but this works well.
>  > > 
>  > That would permit exactly what I'm trying to avoid wouldn't it?
>  > 
>  > If (heaven forbid) an intruder got root access to my machine (which is
>  > the backup client) then they would have free access to the backup
>  > machine as well.  Thus a malicious intruder would be able to delete
>  > everything on my machine *and* on the backup machine as well.
>  > 
>  > What I'm trying to do is have a backup which isn't trivially
>  > accessible from the client.
>  > 
> But you could do the same thing on your client so no one could ever
> log in to root unless they had a public key on your client.
> 
If I never turn it on it will be perfectly safe.  :-)

Yes, my client (the machine to be backed up) is fairly secure. 
However given that ssh access from the outside world is allowed (even
if only for non-root and from specific IPs) there is a risk that
someone could get into it and wreak havoc.  What I want to do is to
minimise the risk that anyone who does that will also be able to get
at my backups and destroy them too.

-- 
Chris Green
reply via email to
[Prev in Thread] Current Thread [Next in Thread]