* Re: [gentoo-user] {OT} backups... still backups....
@ 2013-07-01 0:29 99% ` Neil Bothwick
0 siblings, 0 replies; 1+ results
From: Neil Bothwick @ 2013-07-01 0:29 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1164 bytes --]
On Sun, 30 Jun 2013 14:36:14 -0700, Grant wrote:
> >> Isn't that a gaping security hole? I think this amounts to granting
> >> the backup server root read access (and write access if you want to
> >> restore) on each client?
> >
> > How can you backup system files without root read access? You are
> > granting this to s specific user, one without a login shell, on the
> > server.
>
> If the backup server is infiltrated, the infiltrator would have root
> read access to each of the clients, correct? If the clients push to
> the backup server instead, their access on the server can be
> restricted to the backup directory.
Yes, but with push you have to secure each machine whereas with pull
backups it's only the server to secure. And you'd still need to grant
access to the server from the clients, which could be escalated. With
backuppc, the server does not need to be accessible from the Internet at
all, all requests are outgoing. If the server machine serves other
purposes and needs to be net-accessible, run the backup server in a
chroot or VM.
--
Neil Bothwick
Religious error: (A)tone, (R)epent, (I)mmolate?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2013-06-29 23:42 [gentoo-user] {OT} backups... still backups Grant
2013-06-30 7:58 ` Neil Bothwick
2013-06-30 8:11 ` Grant
2013-06-30 9:05 ` Neil Bothwick
2013-06-30 20:12 ` Grant
2013-06-30 20:34 ` Neil Bothwick
2013-06-30 21:36 ` Grant
2013-07-01 0:29 99% ` Neil Bothwick
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox