Re: [bareos-users] Re: bareos-fd client limit access to files

2019-11-23 Thread Spadajspadaj 

I'd add a thing or two to Jörg's answer.

Firstly, if you don't trust the backup provider, the whole backup setup 
is highly questionable. Remember that even though you can encrypt the 
file contents, you keep the filenames in clear text in the database, so 
there is at least a vector of enumeration of files on your system which 
could potentially lead to abuse.


You can however make a formal agreement (which is out of technical scope 
of bareos itself) with the backup provider that limits the backup job 
only to specific files. But to be able to verify whether the backup 
provider keeps to its end of the deal you can configure logging on the 
filedaemon so you have some kind of accounting.


Thirdly, running bareos-fd as a non-root user can have its drawbacks in 
terms of file access. As an alternative you could try using SELinux and 
creating specific policy which allows backups of only selected files but 
it will probably be complicated and error-prone.


MK

On 23.11.2019 17:57, Spiros Papageorgiou wrote:

Thanx for the clear answer!

In any case it would be a nice feature to be able to control which 
files are allowed to be backed up, by the bareos-fd.


Sp

On Saturday, 23 November 2019 18:23:34 UTC+2, Jörg Steffens wrote:

On 23.11.19 at 16:37 wrote Spiros Papageorgiou:
> Hi all,
>
> I have a linux machine that produces some data that I want to
backup. I
> want to use a centralized backup service (based on bareos) that
I have
> access to. So, they told me to install bareos-fd and tell them
which
> files, I want them to backup.
>
> My problem is that I would like to limit the files that
bareos-fd has
> access to, because the centralized backup service has potentialy
the
> capability of backing up all the files of my linux , which is
something
> i don't want.
>
> So, Can i limit the access of bareos-fd to a specific set of
files on my
> linux server?

Typically, this is solved in another way. If you use
https://docs.bareos.org/master/TasksAndConcepts/DataEncryption.html
,
the
Bareos Director can still retrieve all files, but all the backup data
will be encrypted before it is transferred to the server and only you
client can deencrypt it. (the content of the files is encrypted.
Meta-data like filenames and timestamps are still readable.)

Alternately, the bareos-fd normally runs as root to get access to all
files. You can run it as another user and therefore the bareos-fd can
only access the files accessible by that user.

In any case, you should also disable or at least limit run
scripts, as
otherwise the admin can retrieve data with these scripts. Also
Plugins
should be disabled or restricted.
So take a look at
https://docs.bareos.org/master/Configuration/FileDaemon.html


  * Allowed Job Command
  * Allowed Script Dir
  * Plugin Directory
  * Plugin Names

Regards,
Jörg

-- 
 Jörg Steffens joerg@bareos.com 

 Bareos GmbH & Co. KG            Phone: +49 221 630693-91
http://www.bareos.com         Fax:   +49 221 630693-10

 Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
 Komplementär: Bareos Verwaltungs-GmbH
 Geschäftsführer:
 S. Dühr, M. Außendorf, Jörg Steffens, P. Storz

--
You received this message because you are subscribed to the Google 
Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to bareos-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/bareos-users/7e76b38b-e2f6-48e4-8980-96d730353e0c%40googlegroups.com 
.


--
You received this message because you are subscribed to the Google Groups 
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/bareos-users/052cbc62-4b1d-9c90-df23-f440fc999d74%40gmail.com.

[bareos-users] Re: bareos-fd client limit access to files

2019-11-23 Thread Spiros Papageorgiou 
Thanx for the clear answer!

In any case it would be a nice feature to be able to control which files 
are allowed to be backed up, by the bareos-fd.

Sp 

On Saturday, 23 November 2019 18:23:34 UTC+2, Jörg Steffens wrote:
>
> On 23.11.19 at 16:37 wrote Spiros Papageorgiou: 
> > Hi all, 
> > 
> > I have a linux machine that produces some data that I want to backup. I 
> > want to use a centralized backup service (based on bareos) that I have 
> > access to. So, they told me to install bareos-fd and tell them which 
> > files, I want them to backup. 
> > 
> > My problem is that I would like to limit the files that bareos-fd has 
> > access to, because the centralized backup service has potentialy the 
> > capability of backing up all the files of my linux , which is something 
> > i don't want. 
> > 
> > So, Can i limit the access of bareos-fd to a specific set of files on my 
> > linux server? 
>
> Typically, this is solved in another way. If you use 
> https://docs.bareos.org/master/TasksAndConcepts/DataEncryption.html, the 
> Bareos Director can still retrieve all files, but all the backup data 
> will be encrypted before it is transferred to the server and only you 
> client can deencrypt it. (the content of the files is encrypted. 
> Meta-data like filenames and timestamps are still readable.) 
>
> Alternately, the bareos-fd normally runs as root to get access to all 
> files. You can run it as another user and therefore the bareos-fd can 
> only access the files accessible by that user. 
>
> In any case, you should also disable or at least limit run scripts, as 
> otherwise the admin can retrieve data with these scripts. Also Plugins 
> should be disabled or restricted. 
> So take a look at 
> https://docs.bareos.org/master/Configuration/FileDaemon.html 
>
>   * Allowed Job Command 
>   * Allowed Script Dir 
>   * Plugin Directory 
>   * Plugin Names 
>
> Regards, 
> Jörg 
>
> -- 
>  Jörg Steffens   joerg@bareos.com  
>  Bareos GmbH & Co. KGPhone: +49 221 630693-91 
>  http://www.bareos.com   Fax:   +49 221 630693-10 
>
>  Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646 
>  Komplementär: Bareos Verwaltungs-GmbH 
>  Geschäftsführer: 
>  S. Dühr, M. Außendorf, Jörg Steffens, P. Storz 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/bareos-users/7e76b38b-e2f6-48e4-8980-96d730353e0c%40googlegroups.com.

[bareos-users] Re: bareos-fd client limit access to files

2019-11-23 Thread Jörg Steffens 
On 23.11.19 at 16:37 wrote Spiros Papageorgiou:
> Hi all,
> 
> I have a linux machine that produces some data that I want to backup. I
> want to use a centralized backup service (based on bareos) that I have
> access to. So, they told me to install bareos-fd and tell them which
> files, I want them to backup.
> 
> My problem is that I would like to limit the files that bareos-fd has
> access to, because the centralized backup service has potentialy the
> capability of backing up all the files of my linux , which is something
> i don't want.
> 
> So, Can i limit the access of bareos-fd to a specific set of files on my
> linux server?

Typically, this is solved in another way. If you use
https://docs.bareos.org/master/TasksAndConcepts/DataEncryption.html, the
Bareos Director can still retrieve all files, but all the backup data
will be encrypted before it is transferred to the server and only you
client can deencrypt it. (the content of the files is encrypted.
Meta-data like filenames and timestamps are still readable.)

Alternately, the bareos-fd normally runs as root to get access to all
files. You can run it as another user and therefore the bareos-fd can
only access the files accessible by that user.

In any case, you should also disable or at least limit run scripts, as
otherwise the admin can retrieve data with these scripts. Also Plugins
should be disabled or restricted.
So take a look at
https://docs.bareos.org/master/Configuration/FileDaemon.html

  * Allowed Job Command
  * Allowed Script Dir
  * Plugin Directory
  * Plugin Names

Regards,
Jörg

-- 
 Jörg Steffens   joerg.steff...@bareos.com
 Bareos GmbH & Co. KGPhone: +49 221 630693-91
 http://www.bareos.com   Fax:   +49 221 630693-10

 Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
 Komplementär: Bareos Verwaltungs-GmbH
 Geschäftsführer:
 S. Dühr, M. Außendorf, Jörg Steffens, P. Storz

-- 
You received this message because you are subscribed to the Google Groups 
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/bareos-users/qrbmdt%24lbr%241%40blaine.gmane.org.