BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BackupPC-users] security & web server questions

2013-07-10 04:59:18
Subject: Re: [BackupPC-users] security & web server questions
From: Brad Alexander <storm16 AT gmail DOT com>
To: "General list for user discussion, questions and support" <backuppc-users AT lists.sourceforge DOT net>
Date: Wed, 10 Jul 2013 04:57:55 -0400
The method I use is that I use rsync+ssh. I then create a regular backuppc user and limit sudo access to the tools needed to perform the backup, plus anything needed to be done as root in the pre/post backup scripts, such as my dbdump script. Here is my /etc/sudoers.d/backuppc:

# This file is managed by puppet. Do not edit locally.
Cmnd_Alias    BACKUP=/bin/tar, /usr/bin/rsync, /usr/bin/mysqldump, /usr/local/sbin/dbdump
backuppc        ALL=NOPASSWD:BACKUP

This allows me access to all the files to be backed up/restored, and limits the backuppc user to the specific tools needed to perform the task. An attacker could get in and cause mischief, but that risk is far overshadowed by missing backups in a DR type scenario.

--b



On Sat, Jul 6, 2013 at 7:38 PM, Igor Sverkos <igor.sverkos AT googlemail DOT com> wrote:
Hi,

I can understand the question. If BackupPC will use root permission,
your BackupPC will become No. 1 target. Because when the attacker
controls your BackupPC, she can access every box within your network
as root. Nothing you really want. And in business, you will have
multiple sys-admins.. but as the VPN/Firewall admin you want your
servers to be backed up, but you shouldn't trust your colleague which
is running the backup server too much. Because it is your ass which
will get kicked when someone compromises the systems under your
responsibility.

Two ways we are using:
1) If you really know what folder you want to be backed up, create a
user "backup" and add an ACL which allows the user "backup" to read
these folders.

2) If you don't know what folders you want to be backed up or you want
to backup everything, also create a user "backup" and lock it down.
Now, create a copy of rsync. Make sure, only the user "backup" can
execute this file. Set the CAP_DAC_READ_SEARCH capability for the
private rsync copy. Now, the user "backup" can access all your data
like root can, but if anybody will get access to that user on that
box, he/she is very limited.


--
Regards.
Igor

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [BackupPC-users] cygwin-rsyncd outdated No recent version ?, infosupport
Next by Date:  [BackupPC-users] cygwin-rsyncd outdated No recent version ?, infosupport
Previous by Thread:  Re: [BackupPC-users] security & web server questions, Igor Sverkos
Next by Thread:  Re: [BackupPC-users] security & web server questions, Grant
Indexes:  [Date] [Thread] [Top] [All Lists]