Hello Axel,
I registered the #backuppc channel on Freenode. it's not too popular
at the moment, but I'm usually in & out and I've talked to a few
people in there. I don't know how much help I could be, but I do
suggest people come in and talk about BackupPC, and offer what help
they can as well.
On Mon, Apr 7, 2008 at 11:33 AM, Axel Beckert <beckert AT phys.ethz DOT ch>
wrote:
> Hi,
>
> three things which I was thinking about recently:
>
>
> First thing:
>
> We're running a BackupPC server with several TB disk space for laptops
> in our Department. As usual some users are more paranoid than
> others...
>
> The more paranoid users who just want their data backed up, not the
> whole machine, won't give root permission to the backup server's ssh
> key. So we ssh into the user whose home directory we want to back. No
> problem so far.
>
> But now I've got a few such boxes used by two or more persons (a
> professor and his phd students) and all want their home directory
> backed up, but they don't want to give out root login rights.
>
> Has anyone done something similar already? The machines in question
> currently are Macs with MacOS X (so we need to use tar), but we
> probably also need to do this for Linux machines (preferably with
> rsync).
>
> Currently I have several ideas how to accomplish that:
>
> + An ssh wrapper which would execute the tar command on the computer
> one time for each user. Problem: Just simply concatenate the tar
> files won't work, you need to make one archive out of them.
>
> + Giving multiple DNS aliases to the computers in question and then
> seeing them als multiple hosts. (Hope, BackupPC doesn't several
> hosts having the same IP address.)
>
> There are two variants of this idea:
>
> - Using /etc/hosts of the BackupPC server. Wouldn't clutter the
> normal DNS, but you need to make all changes to DNS in the hosts
> file, too.
>
> - Using CNAME records in DNS. Would be visible for others. Only one
> place to do changes.
>
> + Creating a local user account on the client which has access to all
> home directories to backup, but not more. Sounds like a big mess (or
> at least a big effort) in regards to Unix file permissions.
>
> I currently prefer the DNS alias method (don't know yet if via
> /etc/hosts or normal DNS), but would be happy to hear from others with
> similar situation what ideas (and perhaps solutions) they had.
>
>
> Second thing:
>
> One of our more paranoid users suggested an improvement which won't
> help if the backup server itself would be compromised but will help if
> the private key got outside the backup server somehow (and makes
> administration harder, if the server changes):
>
> Using options in the authorized_keys file can dyke a key-only
> compromise: The line
>
> from="server1.example.org" ssh-rsa AAAAB3...8z backuppc AT server1.example
> DOT org
>
> would restrict the key to being used only by the host
> server1.example.org. The given hostname must be the hostname in the
> PTR record for the IP address the BackupPC server connects from. CNAME
> records like e.g backuppc.example.org pointing to server1.example.org
> won't work in most cases.
>
> IMHO it wouldn't be bad if this could mentioned at
> http://backuppc.sourceforge.net/faq/security.html#ssh_key_security
>
> Second and a half thing: ;-)
>
> I also played around a little bit with the command="..." option. It
> looks like you could use it with something like
>
> command="tar `cat`" and then use it from BackupPC like this:
>
> $Conf{TarClientCmd} = 'echo cpvf - -C $shareName+ --totals | $sshPath -q -x
> -n -l root $host $tarPath';
>
> And even if it doesn't look very security-wise, I haven't managed to
> exploit command="echo `cat`" -- every meta character (backtick,
> backslash, dollar, semicolon, line break, exclamation mark) I tried
> was output literally.
>
> Haven't tested it yet though. And it probably won't work for any
> command which uses both STDIN and STDOUT like e.g. rsync.
>
>
> Third thing:
>
> Is there no IRC channel for BackupPC users? I've looked in IRCnet,
> Freenode and OFTC. ChanServ seems to know about #backuppc in Freenode,
> but nobody was in there.
>
> Kind regards, Axel Beckert
> --
> Axel Beckert <beckert AT phys.ethz DOT ch> support: +41 44 633 2668
> IT Support Group, HPR E 86.1 voice: +41 44 633 4189
> Departement Physik, ETH Zurich fax: +41 44 633 1239
> CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Register now and save $200. Hurry, offer ends at 11:59 p.m.,
> Monday, April 7! Use priority code J8TLD2.
>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users AT lists.sourceforge DOT net
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
--
Paul Mantz
http://www.mcpantz.org
Zmanda - Open source backup and recovery http://www.zmanda.com/
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|