>>>>> And if I pull, none of my backed-up systems are secure because anyone >>>>> who breaks into the backup server has root read privileges on every >>>>> backed-up system and will thereby "gain full root privileges quickly." >>>> >>>> IMO that depends on whether you also backup the authentication-related >>>> files or not. Exclude them from backup, ensure different root passwords >>>> for all boxes, and now you can limit the infiltration. >>> >>> If you're pulling to the backup server, that backup server has to be >>> able to log in to and read all files on the other servers. Including >>> e.g. your swap partition and device files. >> >> What if I have each system save a copy of everything to be backed up >> from its own filesystem in a separate directory and change the >> ownership of everything in that directory so it can be read by an >> unprivileged backup user? > > You've just reinvented the push backup =) > > If separate-directory is on the same server, an attacker can log in and > overwrite all of your files with zeros. Those zeros will be pulled to > the backup server, destroying your backups.
That's not the case at all. The zeros would be pulled to the backup server via rdiff-backup and saved as a new version in the repository. The backups would be safe. - Grant > If separate-directory is on the backup server...
