>>Then I could have the backup server pull >> that copy from each system without giving it root access to each >> system. Can I somehow have the correct ownerships for the backup >> saved in a separate file for use during a restore? >> > > If you're intent on making a two-stage pull work; you can do it by > creating a 'backups' user on your servers, and then using filesystem > ACLs to grant backups+r to every file/directory you want to back up. > That way, an attacker on the backup server can't decide to peruse the > rest of your stuff.
I like that. So use ACLs to grant access to the backups instead of using ownership/permissions so that the ownership/permissions stay intact. I've never used ACLs. Do they "override" ownership/permissions? In other words, if the ACL specifies backups+r to a file owned by root that is chmod 700, "backups" can read it anyway? > The easiest method, though, is to just add a third stage. Either move > the backups on the backup server to another directory after the backup > job completes, or sync/burn/whatever them off-site. In this case the > backup server can't access anything you don't give it, and the > individual servers can't trash their backed-up data. I don't see how that could work in an automated fashion. Could you give me an example? - Grant
