unattended rdiff-backup / ssh configuration

dean gaudet dean-list-rdiff-backup@arctic.org
Mon, 13 May 2002 17:58:39 -0700 (PDT)

On Mon, 13 May 2002, Ben Escoto wrote:

> >>>>> "DG" == dean gaudet <dean-list-rdiff-backup@arctic.org>
> >>>>> wrote the following on Mon, 13 May 2002 10:59:48 -0700 (PDT)
>   DG> oh yeah, another feature request :)  a "--server-read-only"
>   DG> command line option which would restrict rdiff-backup to running
>   DG> as a source server only.  that would protect a server from ever
>   DG> being a target in an unattended backup setup.  it would tighten
>   DG> security a bit.
>   DG> i suppose also a "--server-write-only /path/to/mirror" would be
>   DG> appropriate in the other direction.
> This is definitely a good idea, but is suprisingly difficult given the
> way the protocol is.  Also, I think the --server-write-only switch
> wouldn't be worth much without chroot'ing (because otherwise someone
> could add in a well-timed symlink and get rdiff-backup to overwrite
> whatever they wanted) and right now chroot'ing is difficult because
> rdiff-backup depends on rdiff.

yeah i had been thinking about chroot... and the more i think about it,
even the --server-read-only is somewhat superfluous given the existence of
snapshot-capable volume managers such as LVM, EVMS, vxvm, ...

once i iron out some other kinks i'll be using LVM to take a snapshot
before the backup starts.  then i'll be doing the backup off the read-only
snapshot.  if i throw in a chroot (with appropriate magic for rdiff) then
i'll get most of the protection i want.

the only additional thing i'd like is if i could run the backup as a
non-root user which has root read access.  i think i'll go pester
linux-kernel and see if anyone has any suggestions :)