rdiff-backup-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] Clarification of --restrict-update-only


From: Chris G
Subject: Re: [rdiff-backup-users] Clarification of --restrict-update-only
Date: Thu, 5 Feb 2009 14:10:12 +0000
User-agent: Mutt/1.5.17 (2007-11-01)

On Thu, Feb 05, 2009 at 01:13:23PM +0000, Dominic wrote:
> Chris G wrote:
>>>
>>>> Anyway, back to the original point of my question, if I put:-
>>>>
>>>>     Match User=bak
>>>>     ForceCommand rdiff-backup --server --restrict-update-only /
>>>>
>>>> at the end of my sshd configuration on the backup server will it prevent
>>>> rdiff-backup doing anything but updates on any/every part of the
>>>> backup hierarchy?
>>>>       
>>> From my reading of man page I think you are correct, but I suggest you 
>>> accept the position of 'restrict-update-only Tester In Chief' and let us 
>>> know how you get on! I would be interested to know if it causes any 
>>> problems when comparing or recovering files (but I don't think it 
>>> should). Can you use it when creating a new repository?
>> K, I'll add the extra parameter and see how it all goes.
> To get you started I did a list of rdiff-backup options below showing 
> whether they should work okay when used on the rdiff-backup push client 
> side with your proposed --restrict-update-only server-side restriction - 
> 'Yes' means I think it should always work and 'No' means I think it might 
> sometimes or always cause a failure depending on the situation.
>
> The ones I think most interesting are first whether new repositories can be 
> created (logically yes, but does it work?), and second 
> --check-destination-dir (and automatic fixing of a previous failed backup). 
> Logically --check-destination-dir should work because the action that 
> rdiff-backup takes in this case is not a security risk (it is only undoing 
> a backup that has failed, and a malicious user cannot use it to remove 
> valid backups), but as it involves deleting data on the server 
> --restrict-update-only might prevent it. I guess the best way to find out 
> for sure is to create a failed backup and try it...
>
Excellent, thank you for all this information.

> Some historic (Jun 2006) discussion here: 
> http://www.nabble.com/-bug--16897--Security-Violation-on-first-increment-while-using-restrict-update-only-td4963925.html
>
> Dominic
>
> *???       [default], -b,* *--backup-mode (might be a problem creating new 
> repositories?)*
>
> *Yes       --calculate-average*
>
> *Yes       --carbonfile*
>
> *???       --check-destination-dir (and **automatic fixing of a previous 
> failed backup)*
>
> *Yes       --compare**
>
> No        *--create-full-path*
>
> Yes       *--current-time* /seconds/
>
> Yes       *--exclude**
>
> No        *--force*
>
> Yes       *--group-mapping-file* /filename/
>
> Yes       *--include**
>
> Yes       *--list**
>
> Yes       *--max-file-size* /size/
>
> Yes       *--min-file-size* /size/
>
> Yes       *--never-drop-acls*
>
> Yes       *--no-**
>
> Yes       *--null-separator*
>
> Yes       *--parsable-output*
>
> Yes       *--override-chars-to-quote*
>
> Yes       *--preserve-numerical-ids*
>
> Yes       *--print-statistics*
>
> Yes       *-r,* *--restore-as-of* /restore/*_*/time/
>
> Yes       *--remote-schema* /schema/
>
> No        *--remote-tempdir* /path/ (workaround: add --tempdir to 
> ForceCommand in sshd_config?)
>
> No        *--remove-older-than* /time/*_*/spec/
>
> N/A       *--restrict* /path/
>
> N/A       *--restrict-read-only* /path/
>
> N/A       *--restrict-update-only* /path/
>
> N/A       *--server*
>
> Yes       *--ssh-no-compression*
>
> Yes       *--tempdir* /path/
>
> Yes       *--terminal-verbosity* /[0-9]/
>
> Yes       *--test-server*
>
> Yes       *--use-compatible-timestamps*
>
> Yes       *--user-mapping-file* /filename/
>
> Yes       *-v*/[0-9]/*,* *--verbosity* /[0-9]/
>
> Yes       *--verify**
>
> Yes       *-V,* *--version*
>
>
>
>
> _______________________________________________
> rdiff-backup-users mailing list at address@hidden
> http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
> Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
>

-- 
Chris Green




reply via email to

[Prev in Thread] Current Thread [Next in Thread]