I'd add a thing or two to Jörg's answer.
Firstly, if you don't trust the backup provider, the whole backup setup
is highly questionable. Remember that even though you can encrypt the
file contents, you keep the filenames in clear text in the database, so
there is at least a vector of enumeration of files on your system which
could potentially lead to abuse.
You can however make a formal agreement (which is out of technical scope
of bareos itself) with the backup provider that limits the backup job
only to specific files. But to be able to verify whether the backup
provider keeps to its end of the deal you can configure logging on the
filedaemon so you have some kind of accounting.
Thirdly, running bareos-fd as a non-root user can have its drawbacks in
terms of file access. As an alternative you could try using SELinux and
creating specific policy which allows backups of only selected files but
it will probably be complicated and error-prone.
MK
On 23.11.2019 17:57, Spiros Papageorgiou wrote:
Thanx for the clear answer!
In any case it would be a nice feature to be able to control which
files are allowed to be backed up, by the bareos-fd.
Sp
On Saturday, 23 November 2019 18:23:34 UTC+2, Jörg Steffens wrote:
On 23.11.19 at 16:37 wrote Spiros Papageorgiou:
> Hi all,
>
> I have a linux machine that produces some data that I want to
backup. I
> want to use a centralized backup service (based on bareos) that
I have
> access to. So, they told me to install bareos-fd and tell them
which
> files, I want them to backup.
>
> My problem is that I would like to limit the files that
bareos-fd has
> access to, because the centralized backup service has potentialy
the
> capability of backing up all the files of my linux , which is
something
> i don't want.
>
> So, Can i limit the access of bareos-fd to a specific set of
files on my
> linux server?
Typically, this is solved in another way. If you use
https://docs.bareos.org/master/TasksAndConcepts/DataEncryption.html
<https://docs.bareos.org/master/TasksAndConcepts/DataEncryption.html>,
the
Bareos Director can still retrieve all files, but all the backup data
will be encrypted before it is transferred to the server and only you
client can deencrypt it. (the content of the files is encrypted.
Meta-data like filenames and timestamps are still readable.)
Alternately, the bareos-fd normally runs as root to get access to all
files. You can run it as another user and therefore the bareos-fd can
only access the files accessible by that user.
In any case, you should also disable or at least limit run
scripts, as
otherwise the admin can retrieve data with these scripts. Also
Plugins
should be disabled or restricted.
So take a look at
https://docs.bareos.org/master/Configuration/FileDaemon.html
<https://docs.bareos.org/master/Configuration/FileDaemon.html>
* Allowed Job Command
* Allowed Script Dir
* Plugin Directory
* Plugin Names
Regards,
Jörg
--
Jörg Steffens joerg....@bareos.com <javascript:>
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz
--
You received this message because you are subscribed to the Google
Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to bareos-users+unsubscr...@googlegroups.com
<mailto:bareos-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/7e76b38b-e2f6-48e4-8980-96d730353e0c%40googlegroups.com
<https://groups.google.com/d/msgid/bareos-users/7e76b38b-e2f6-48e4-8980-96d730353e0c%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/052cbc62-4b1d-9c90-df23-f440fc999d74%40gmail.com.
