I'd add a thing or two to Jörg's answer.

Firstly, if you don't trust the backup provider, the whole backup setup is highly questionable. Remember that even though you can encrypt the file contents, you keep the filenames in clear text in the database, so there is at least a vector of enumeration of files on your system which could potentially lead to abuse.

You can however make a formal agreement (which is out of technical scope of bareos itself) with the backup provider that limits the backup job only to specific files. But to be able to verify whether the backup provider keeps to its end of the deal you can configure logging on the filedaemon so you have some kind of accounting.

Thirdly, running bareos-fd as a non-root user can have its drawbacks in terms of file access. As an alternative you could try using SELinux and creating specific policy which allows backups of only selected files but it will probably be complicated and error-prone.

MK

On 23.11.2019 17:57, Spiros Papageorgiou wrote:
Thanx for the clear answer!

In any case it would be a nice feature to be able to control which files are allowed to be backed up, by the bareos-fd.

Sp

On Saturday, 23 November 2019 18:23:34 UTC+2, Jörg Steffens wrote:

    On 23.11.19 at 16:37 wrote Spiros Papageorgiou:
    > Hi all,
    >
    > I have a linux machine that produces some data that I want to
    backup. I
    > want to use a centralized backup service (based on bareos) that
    I have
    > access to. So, they told me to install bareos-fd and tell them
    which
    > files, I want them to backup.
    >
    > My problem is that I would like to limit the files that
    bareos-fd has
    > access to, because the centralized backup service has potentialy
    the
    > capability of backing up all the files of my linux , which is
    something
    > i don't want.
    >
    > So, Can i limit the access of bareos-fd to a specific set of
    files on my
    > linux server?

    Typically, this is solved in another way. If you use
    https://docs.bareos.org/master/TasksAndConcepts/DataEncryption.html
    <https://docs.bareos.org/master/TasksAndConcepts/DataEncryption.html>,
    the
    Bareos Director can still retrieve all files, but all the backup data
    will be encrypted before it is transferred to the server and only you
    client can deencrypt it. (the content of the files is encrypted.
    Meta-data like filenames and timestamps are still readable.)

    Alternately, the bareos-fd normally runs as root to get access to all
    files. You can run it as another user and therefore the bareos-fd can
    only access the files accessible by that user.

    In any case, you should also disable or at least limit run
    scripts, as
    otherwise the admin can retrieve data with these scripts. Also
    Plugins
    should be disabled or restricted.
    So take a look at
    https://docs.bareos.org/master/Configuration/FileDaemon.html
    <https://docs.bareos.org/master/Configuration/FileDaemon.html>

      * Allowed Job Command
      * Allowed Script Dir
      * Plugin Directory
      * Plugin Names

    Regards,
    Jörg

--  Jörg Steffens joerg....@bareos.com <javascript:>
     Bareos GmbH & Co. KG            Phone: +49 221 630693-91
    http://www.bareos.com         Fax:   +49 221 630693-10

     Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
     Komplementär: Bareos Verwaltungs-GmbH
     Geschäftsführer:
     S. Dühr, M. Außendorf, Jörg Steffens, P. Storz

--
You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com <mailto:bareos-users+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/7e76b38b-e2f6-48e4-8980-96d730353e0c%40googlegroups.com <https://groups.google.com/d/msgid/bareos-users/7e76b38b-e2f6-48e4-8980-96d730353e0c%40googlegroups.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups 
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/bareos-users/052cbc62-4b1d-9c90-df23-f440fc999d74%40gmail.com.

Reply via email to