I realize this is a little off-topic for this list, but based on some of the other discussions that I've followed over the last month, I'm hopeful that I might be able to get some feedback from some of you, either on the list or privately.
Basically, what I'm looking for is a security-based critique of a backup method I'm using. It works fine for me right now, but I'm considering rewriting it for broader distribution, and I'd like to know what you guys think about how fundamentally secure it is. This is how it works: there is some set of Linux machines that I want to back up. Each of these machines is available on a network and each has ssh available. One of the machines (call it the "backup machine") has a CD-RW on it, and I use that machine to write a daily backup to a multi-session CD-RW disc. The batch backup process is divided into four pieces: o collect [each machine]: builds tarballs based on configuration o stage [backup machine]: stages all collected data from other machines o store [backup machine]: builds ISO image and writes staged data to disc o purge [each machine]: purges old archived tarballs and/or ISO disc images The scripts are run as root from /etc/crontab. When files are created, they are created in a directory owned by and readable only by the 'backup' user, and they are changed to be owned by the 'backup' user, which has very limited privileges. Staging of files to the backup machine is done via ssh as the 'backup' user, again to a directory owned by and only readable by the 'backup' user. Old tarballs and ISO images are kept around for some configurable number of days, in case the ssh transfer across the network or the actual write to disc fails. It seems to me that the main flaw with my process is in saving the old collected and staged files on each machine for some amount of time before the purge process runs. Since these files can be read by the 'backup' user and could contain backups of directories such as /etc, someone who gains access as the 'backup' user could get access to priviledged information. I haven't decided exactly what to do with this yet. Other than the problem with the saved-off files, is it safe to say that this process is as reasonably secure as any batch process which relies on ssh can be, or are there other things I can change to make the whole thing more secure? I really appreciate any feedback any of you might provide. I read the list, or you can send email privately to <[EMAIL PROTECTED]>. Thanks! KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "I have zero tolerance for zero-tolerance policies."
