>> I'm planning to rsync --fake-super the important files from each >> client to a particular folder on the backup server as an unprivileged >> user and then have the backup server run rdiff-backup locally to >> maintain a history of those files. > > How does that work with files that aren't world-readable?
The client can run rsync as root, the unprivileged user would be writing on the backup server. --fake-super writes all original ownership/permissions to xattrs in the files. >> authorized_keys on the server >> would restrict the clients to a particular rsync command in a >> particular directory. That way if the backup server is infiltrated, >> the clients aren't exposed in any way, and if a client is infiltrated, >> the only extra exposure is the rsync'ed copy of the files on the >> server which isn't a real vulnerability because of the rdiff-backup >> history. I'd also like to have a secondary backup server pull those >> same rsync'ed files from the primary backup server and run its own >> rdiff-backup repository on them. That way all copies of any system's >> backups are never made vulnerable by the break-in of a single system. >> >> Doesn't that compare favorably to a layout like backuppc's? > > It's a lot more work and doesn't cover everything. One of the advantages > of a pull system like BackupPC is that the only work needed on the client > is adding the backuppc user's key to authorized keys. Everything else is > done by the server. If the server cannot contact the client, or the > connection is broken mid-backup, it tries again. It also gives a single > point of configuration. If you want to change the backup plan fr all > machines, you make one change on one computer. If you have a crazy number of machines to back up, I could see sacrificing some security for convenience. Still I would think you could use something like puppet to have the best of both worlds. I have 5 machines and I think I can get it down to 3. > It works well, save work and minimises disk space usage, especially with > multiple similar clients. Preventing infiltration is simple as you don't > need to open it to the Internet at all, the backup server can be > completely stealthed and still do its job. Obviously the backup server has to be able to make outbound connections in order to pull so I think you're saying it could drop inbound connections, but then how could you talk to it? Do you mean a local backup server? - Grant