Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
Re: Secure Backup
  • From: Ulf Stegemann <ulf@xxxxxxxxxxx>
  • Date: Thu, 04 Dec 2003 12:58:41 +0100
  • Message-id: <zf.upnsmk0dcb2.fsf@xxxxxxxxxxx>
Mario Ohnewald <mario.Ohnewald@xxxxxx> wrote:

> I have two boxes and want to save a backup of each others on it.
> So far i have created a ssh key for both machines so i can make a ssh rsync
> to each other.
> But the terrible sideeffect is that IF one of those boxed get compromized
> the cracker will be root on both of them!!!

[...]

> Any ideas/hints?

As far as I understand, you need to

- run rsync as root on the source machine (to access all files)
- connect to the target machine non-interactive with ssh
- run rsync as root on the target machine (to avoid loosing permissions)

It should be possible to create a script running rsync as root on the source
machine. rsync should connect via ssh to the target machine as an especially
created user (on the target machine) using public key auth.

On the target machine the special user should only be allowed to log-in with
the designated ssh key (passwd -l et al.), should preferrably be chroot-ed
and should have an ~/.ssh/authorized_keys file where the ssh command feature
is used, i.e. connecting using the specified key will result in executing the
specified command ... always. Other limitations for the key (from IP, no
forwarding et al.) should be applied, too. Next, you need to find out which
command is required by rsync on the receiving side (target host);
$SSH_ORIGINAL_COMMAND might help here (google for it).

So far, connecting to target host is only possible using the ssh key you
created (without passphrase that is) and will always result in rsync doing
it's target side magic. However, since rsync does not run as root on the
target machine you will still loose permissions.

To circumvent this, you could record all permissions to a file (best within
your backup script) and sync this one along with all the other data. Of
course you will have to create another script that will restore permissions
in case that you use backed up files from the target machine on the source
machine again.

Alternativly, you could use sudo on the target machine to allow the special
account to run rsync as root (and only that). However, chroot-ing the special
account on the target machine is problematic then, since you need sudo
inside your cage which is SUID 0.

Note, that I haven't tested such a setup.


Hope that helps,

Ulf


< Previous Next >
References