Re: [rdiff-backup-users] Post-setup questions

[Dominic Raferd]

On 18/08/11 22:47, Grant wrote:
> > And, looking at the whole subject from a different angle: pushing also has
> > the large drawback that in case your laptop is stolen/lost/whatever, and you
> > use an ssh key for rdiff-backup to connect to your backup server, you risk
> > not only losing your 'real' systems, but the backup server can also be
> > compromised it an attacker starts using that key.
> If I were to set up a separate user for each pushed backup and one of
> the systems were compromised, only the compromised system's backups
> would be accessible to the attacker (read/write unfortunately).

Practically this seems to me a pretty good solution. Push your backup 
from your laptop to a dedicated user on the (GNU/Linux) backup server, 
ensuring that its users cannot access (read or write) other users' data:

To ensure privacy for any new users on the backup server, in 
/etc/adduser.conf add/alter:
DIR_MODE=0700

For existing users on the backup server, run:
sudo chmod 700 /home/*

When you create a user on the backup server, don't set a password i.e. 
login is only by public/private key authentication. Use a dedicated 
private key on the laptop for the backup, and put its public key on the 
backup server at (and only at) /home/[user]/.ssh/authorized_keys.

You need to be happy that there is nothing readable (or writeable) by a 
non-privileged user on the backup server that you would not want a 
hacker to see e.g. at /var/ or /opt/. For tighter security on the backup 
server you can limit the user to running a single command e.g. 
http://www.cmdln.org/2008/02/11/restricting-ssh-commands/.

If the laptop is stolen, remove the corresponding public key from the 
backup server so that the laptop can no longer get access. And even if 
the thief moved fast enough to get into the backup server before you 
could remove the public key, she could only access the backup history 
for that laptop, and she has the laptop's data already...

Dominic