secure remote backups

[Ben Escoto]

--==_Exmh_-480939486P
Content-Type: text/plain; charset=us-ascii

>>>>> "MW" == mike wolman <mike@nux.co.uk>
>>>>> wrote the following on Mon, 17 Dec 2001 14:27:34 +0000 (GMT)

  MW> /usr/local/bin/rdiff-backup -v6 --remote-schema "ssh -C %s
  MW> '/home/backupuser/backup.sh'" \ mike@machine.to.backup::/home
  MW> /home/backups/machinename
    ...

  MW> When run as root on the backup server i am able to preserve user
  MW> and group ownership for all files.

  MW> Please let me know if i have left major security hole open here,

This strikes me as being pretty safe (and something that I would do)
but does seem to introduce some risks.  You are probably aware, but I
will list:

1.  If someone compromises root@backup_server, apparently it is now
    easy for them to log into machine.to.backup as mike, and delete
    all of mike's files.  (But perhaps it was this way before
    rdiff-backup.)

2.  If someone compromises root@backup_server, they can run the
    rdiff-backup server as root@machine.to.backup, and get it to
    read/erase arbitrary files on machine.to.backup.

3.  If someone compromises mike@machine.to.backup, they can also run
    the rdiff-backup server as root@machine.to.backup, and if they
    know what they are doing, they can get root access on that
    machine.

4.  If someone compromises root@machine.to.backup, they can rewrite
    the rdiff-backup server there, and try to hack the client (running
    as root@backup_server when it connects) to get root access at
    backup_server.


--
Ben Escoto

--==_Exmh_-480939486P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Exmh version 2.5 01/15/2001

iD8DBQE8Hmsn+owuOvknOnURAopIAJ9U4LuR12wYtZMdDSVqfd4lC7/YzACcD/f8
/BFiFU7J3UVQn1jrGo0/Mow=
=+xaX
-----END PGP SIGNATURE-----

--==_Exmh_-480939486P--