The method I use is that I use rsync+ssh. I then create a regular backuppc
user and limit sudo access to the tools needed to perform the backup, plus
anything needed to be done as root in the pre/post backup scripts, such as
my dbdump script. Here is my /etc/sudoers.d/backuppc:
# This file is managed by puppet. Do not edit locally.
Cmnd_Alias BACKUP=/bin/tar, /usr/bin/rsync, /usr/bin/mysqldump,
/usr/local/sbin/dbdump
backuppc ALL=NOPASSWD:BACKUP
This allows me access to all the files to be backed up/restored, and limits
the backuppc user to the specific tools needed to perform the task. An
attacker could get in and cause mischief, but that risk is far overshadowed
by missing backups in a DR type scenario.
--b
On Sat, Jul 6, 2013 at 7:38 PM, Igor Sverkos <igor.sver...@googlemail.com>wrote:
> Hi,
>
> I can understand the question. If BackupPC will use root permission,
> your BackupPC will become No. 1 target. Because when the attacker
> controls your BackupPC, she can access every box within your network
> as root. Nothing you really want. And in business, you will have
> multiple sys-admins.. but as the VPN/Firewall admin you want your
> servers to be backed up, but you shouldn't trust your colleague which
> is running the backup server too much. Because it is your ass which
> will get kicked when someone compromises the systems under your
> responsibility.
>
> Two ways we are using:
> 1) If you really know what folder you want to be backed up, create a
> user "backup" and add an ACL which allows the user "backup" to read
> these folders.
>
> 2) If you don't know what folders you want to be backed up or you want
> to backup everything, also create a user "backup" and lock it down.
> Now, create a copy of rsync. Make sure, only the user "backup" can
> execute this file. Set the CAP_DAC_READ_SEARCH capability for the
> private rsync copy. Now, the user "backup" can access all your data
> like root can, but if anybody will get access to that user on that
> box, he/she is very limited.
>
>
> --
> Regards.
> Igor
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users@lists.sourceforge.net
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
