From: Neil Bothwick <neil@digimed.co.uk>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] rsync backup system
Date: Thu, 25 Feb 2010 17:45:22 +0000 [thread overview]
Message-ID: <20100225174522.73157f24@zaphod.digimed.co.uk> (raw)
In-Reply-To: <201002251741.13525.alan.mckinnon@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1303 bytes --]
On Thu, 25 Feb 2010 17:41:13 +0200, Alan McKinnon wrote:
> And someone gets into your backup server, BANG! instant pwnage of every
> single machine on your network. Heck, you don't even have to try and
> compromise the local root account, you already have full unfettered
> access to everything anyway.
Which is why you don't allow access to the backup server from outside of
the network, and restrict root access from inside. Because backups are
initiated from the server, it doesn't actually need any ports open to do
its job, although a web server is needed to run the user interface
(which isn't necessary). The ebuild sets up a separate instance of
Apache just for this, so even if you are already running Apache on the
backup server (which is a crazy idea to start with) compromising that
won't get you into the backups.
> Worse, I'll bet the server software runs
> as an unpriviledged user, so you can just bypass the bit where you have
> to compromise root there as well.
You lose :P
The server runs as a restricted user, with no login shell.
--
Neil Bothwick
WinErr 042: Virus error - A virus has been activated in a dos-box. The
virus, however, requires Windows. All tasks will automatically be closed
and the virus will be activated again.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2010-02-25 18:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-19 16:44 [gentoo-user] rsync backup system Grant
2009-11-19 17:25 ` Neil Bothwick
2009-11-19 18:19 ` Grant
2009-11-20 17:05 ` Ward Poelmans
2009-11-20 16:05 ` Grant
2009-11-20 22:08 ` Neil Bothwick
2010-02-24 19:02 ` Grant
2010-02-24 20:51 ` Neil Bothwick
2010-02-25 15:15 ` Ward Poelmans
2010-02-25 15:41 ` Alan McKinnon
2010-02-25 16:11 ` Ward Poelmans
2010-02-25 17:50 ` daid kahl
2010-02-26 13:23 ` Ward Poelmans
2010-02-26 17:33 ` daid kahl
2010-02-25 17:52 ` Grant
2010-03-17 15:33 ` Ward Poelmans
2010-02-25 17:45 ` Neil Bothwick [this message]
2010-02-25 16:06 ` Neil Bothwick
2009-11-19 17:58 ` Albert Hopkins
2009-11-19 18:18 ` Albert Hopkins
2009-11-20 16:03 ` Grant
2009-11-20 17:31 ` Albert Hopkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100225174522.73157f24@zaphod.digimed.co.uk \
--to=neil@digimed.co.uk \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox