secure remote backups

Ben Escoto bescoto@stanford.edu
Mon, 19 Nov 2001 16:25:09 -0800


--==_Exmh_2040069169P
Content-Type: text/plain; charset=us-ascii

>>>>> "MW" == mike wolman <mike@nux.co.uk>
>>>>> wrote the following on Tue, 20 Nov 2001 00:23:16 +0000 (GMT)

  MW> Hi, Is it possible to use rdiff to first log in to a machine as
  MW> a normal user then su before performing the backup thus
  MW> preventing root from sshing into the remote machine directly?

Yes, kind of, but this won't eliminate the security risks, so the
primary purpose would probably be to run it on a machine not allowing
root ssh connections.

    rdiff-backup usually opens a connection to a remote host by
executing "ssh user@host rdiff-backup --server", but you can control
this using the --remote-schema option.  Instead of running
rdiff-backup directory on the remote side, you could instead run a
script that was either suid, or ran su itself, and then ran
rdiff-backup.

    For instance:

rdiff-backup --remote-schema "ssh %s su root -c 'rdiff-backup
--server'" foo user@remote.host::bar

Will log into remote.host as user, but then ssh will immediately use
su to run 'rdiff-backup --server' as root.  (Assuming I didn't mess up
the quoting.)

    The problem for security is that however you log into the remote
machine, the rdiff-backup server is running as root (assuming you want
to preserve file ownership), so a malicious user on the local machine
could tell the server to do bad things.


--
Ben Escoto


--==_Exmh_2040069169P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.2 06/23/2000

iD8DBQE7+aLT+owuOvknOnURAomXAKCMFtvBz5gJNqYg6Q+st3KgfsrLUACfbg/6
cfAzFyZSgDH171+alxJX33Q=
=IwOy
-----END PGP SIGNATURE-----

--==_Exmh_2040069169P--