From: Neil Bothwick <neil@digimed.co.uk>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] {OT} backups... still backups....
Date: Mon, 1 Jul 2013 01:29:18 +0100 [thread overview]
Message-ID: <20130701012918.4f1ed146@digimed.co.uk> (raw)
In-Reply-To: <CAN0CFw2f421zGJYL5Vm4sDzNN8Yr99A3zHeNzQYF9C0kWjWEEg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1164 bytes --]
On Sun, 30 Jun 2013 14:36:14 -0700, Grant wrote:
> >> Isn't that a gaping security hole? I think this amounts to granting
> >> the backup server root read access (and write access if you want to
> >> restore) on each client?
> >
> > How can you backup system files without root read access? You are
> > granting this to s specific user, one without a login shell, on the
> > server.
>
> If the backup server is infiltrated, the infiltrator would have root
> read access to each of the clients, correct? If the clients push to
> the backup server instead, their access on the server can be
> restricted to the backup directory.
Yes, but with push you have to secure each machine whereas with pull
backups it's only the server to secure. And you'd still need to grant
access to the server from the clients, which could be escalated. With
backuppc, the server does not need to be accessible from the Internet at
all, all requests are outgoing. If the server machine serves other
purposes and needs to be net-accessible, run the backup server in a
chroot or VM.
--
Neil Bothwick
Religious error: (A)tone, (R)epent, (I)mmolate?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2013-07-01 0:29 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-29 23:42 [gentoo-user] {OT} backups... still backups Grant
2013-06-30 7:58 ` Neil Bothwick
2013-06-30 8:11 ` Grant
2013-06-30 9:05 ` Neil Bothwick
2013-06-30 20:12 ` Grant
2013-06-30 20:34 ` Neil Bothwick
2013-06-30 21:36 ` Grant
2013-07-01 0:29 ` Neil Bothwick [this message]
2013-07-01 8:39 ` Grant
2013-07-01 8:57 ` Neil Bothwick
2013-07-01 12:29 ` Grant
2013-07-01 12:41 ` Neil Bothwick
2013-07-01 13:31 ` Grant
2013-07-01 13:42 ` Neil Bothwick
2013-07-01 14:08 ` Grant
2013-07-01 18:12 ` Michael Hampicke
2013-07-01 23:14 ` Grant
2013-07-01 23:28 ` Neil Bothwick
2013-07-02 6:24 ` Grant
2013-07-02 8:08 ` Neil Bothwick
2013-07-02 8:38 ` J. Roeleveld
2013-07-18 15:54 ` Grant
2013-06-30 12:40 ` David Relson
2013-06-30 9:58 ` Stefan G. Weichinger
2013-06-30 11:05 ` William Kenworthy
2013-06-30 18:08 ` Mick
2013-06-30 22:55 ` William Kenworthy
2013-07-01 3:18 ` Joseph
2013-07-01 8:51 ` Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130701012918.4f1ed146@digimed.co.uk \
--to=neil@digimed.co.uk \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox