>>>>> And if I pull, none of my backed-up systems are secure because anyone >>>>> who breaks into the backup server has root read privileges on every >>>>> backed-up system and will thereby "gain full root privileges quickly." >>>> >>>> IMO that depends on whether you also backup the authentication-related >>>> files or not. Exclude them from backup, ensure different root passwords >>>> for all boxes, and now you can limit the infiltration. >>> >>> If you're pulling to the backup server, that backup server has to be >>> able to log in to and read all files on the other servers. Including >>> e.g. your swap partition and device files. >> >> What if I have each system save a copy of everything to be backed up >> from its own filesystem in a separate directory and change the >> ownership of everything in that directory so it can be read by an >> unprivileged backup user? Then I could have the backup server pull >> that copy from each system without giving it root access to each >> system. Can I somehow have the correct ownerships for the backup >> saved in a separate file for use during a restore? >> >> - Grant >> > > You could just as well use an NFS share with no_root_squash. It is > really more a question of finding the right combination of tools to > ensure proper separation of concern for server and client. > > In fact, I think we are intermixing three distinct problems: > 1. (Possible) limitations of rdiff-backup with regard to untrusted > backup servers or clients.
The limitation is real unfortunately. All backups created by rdiff-backup more than a second ago can be deleted something like this: rdiff-backup --remove-older-than 1s backup@12.34.56.78::/path/to/backup > 2. The purely technical question which file transfer protocols protect > against write access from backup server to backup client and backup > client to older backups on the server. rdiff-backup doesn't provide those sort of protections. Do any file transfer protocols? > 3. The more or less organisational question what level of protection > backups need and how fast security breaks have to be detected. I think backups should be very well protected and security breaks should not have to be immediately detected. - Grant > I think push vs. pull is just a secondary concern with regard to the > second question and has practically no relevance to the third one. > > Regards, > Florian Philipp
