Hi,
Richard Shaw wrote on 2011-08-14 07:20:58 -0500 [Re: [BackupPC-users]
Suggestions on how to back up a host]:
> On Sat, Aug 13, 2011 at 10:21 PM, Kenneth L. Owen
> <tx836519 AT bellsouth DOT net> wrote:
> > I use the sudoer's method to allow backuppc to log in with no password,
> > but with a limited privilege only sufficient to perform the necessary
> > functions.
>
> If you decide to go that route I would definitely use rsync. From what
> I read if you have sudo access to "tar" then it's pretty easy to do
> whatever your want on a system.
how is rsync supposed to be any different? You *can* limit both tar and rsync
to read access, which will obviously disable automatic restores, or to specific
directories, which is more complicated.
But yes, if you don't limit it, sudo access to either tar or rsync is not that
much of an improvement over direct ssh access, concerning what an attacker can
do if he gains access. It might be able to limit the implications of a
misconfiguration or reduce the amount of attack vectors, though.
You *can* limit ssh access to a certain command - whether you use the root
user or an unprivileged user. So there are quite a few places where you can
control what is going on. In any case, you need to be careful about what you
allow - switching off root ssh login and allowing any tar or rsync invocation
with sudo alone does not make anything more secure.
Regards,
Holger
------------------------------------------------------------------------------
FREE DOWNLOAD - uberSVN with Social Coding for Subversion.
Subversion made easy with a complete admin console. Easy
to use, easy to manage, easy to install, easy to extend.
Get a Free download of the new open ALM Subversion platform now.
http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|
