Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 15 Dec 2002 20:04:31 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        Marcus Reid <marcus@blazingdot.com>
Cc:        freebsd-isp@freebsd.org
Subject:   Re: network backup
Message-ID:  <5.2.0.9.0.20021215195931.06955bc8@192.168.0.12>
In-Reply-To: <20021215221031.GA72287@blazingdot.com>
References:  <bm3pvu06umktacjbt9g5vi0i7n6kkvtcfi@4ax.com> <20021213165625.GB91604@dan.emsphone.com> <mailman.1039802762.69058.fisp-l@lists.sentex.ca> <bm3pvu06umktacjbt9g5vi0i7n6kkvtcfi@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 02:10 PM 12/15/2002 -0800, Marcus Reid wrote:
>On Sun, Dec 15, 2002 at 09:22:06AM -0500, Mike Tancsa wrote:
> > /sbin/dump -0uanf - /usr |gzip -9 | ssh
> > remoteuser@backupserver.example.com dd
> > of=/home/targetdir/root-server-al0.gz
>
>Agreed that dump is the way to go much of the time.. There is something
>that bothers me in your example though. Your backup machine trusts the server,
>and not the other way around. IMHO, the backup machine needs to be one of
>the most trusted machines on your network, like your management workstation.

I agree.  However, the target user on the backup server is non wheel and 
the session is chrooted into its own directory.  If servera is compromised, 
the attacker can get at the account servera on the backupserver, and thats it.


>It logs into machines below it, and not the other way around. Compromise of
>server X should not allow access to the backups of every machine on the
>network!


Not necessarily.  If there is a password compromise on the one server, it 
does not mean that there is access to all the other accounts on the backup 
server.  Also, if it were done the other way around, only the backup server 
need to be compromised to gain access to all the other servers.

How have you designed your backup system that avoids these issues ?

         ---Mike
--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20021215195931.06955bc8>