Hello Axel, I registered the #backuppc channel on Freenode. it's not too popular at the moment, but I'm usually in & out and I've talked to a few people in there. I don't know how much help I could be, but I do suggest people come in and talk about BackupPC, and offer what help they can as well.
On Mon, Apr 7, 2008 at 11:33 AM, Axel Beckert <[EMAIL PROTECTED]> wrote: > Hi, > > three things which I was thinking about recently: > > > First thing: > > We're running a BackupPC server with several TB disk space for laptops > in our Department. As usual some users are more paranoid than > others... > > The more paranoid users who just want their data backed up, not the > whole machine, won't give root permission to the backup server's ssh > key. So we ssh into the user whose home directory we want to back. No > problem so far. > > But now I've got a few such boxes used by two or more persons (a > professor and his phd students) and all want their home directory > backed up, but they don't want to give out root login rights. > > Has anyone done something similar already? The machines in question > currently are Macs with MacOS X (so we need to use tar), but we > probably also need to do this for Linux machines (preferably with > rsync). > > Currently I have several ideas how to accomplish that: > > + An ssh wrapper which would execute the tar command on the computer > one time for each user. Problem: Just simply concatenate the tar > files won't work, you need to make one archive out of them. > > + Giving multiple DNS aliases to the computers in question and then > seeing them als multiple hosts. (Hope, BackupPC doesn't several > hosts having the same IP address.) > > There are two variants of this idea: > > - Using /etc/hosts of the BackupPC server. Wouldn't clutter the > normal DNS, but you need to make all changes to DNS in the hosts > file, too. > > - Using CNAME records in DNS. Would be visible for others. Only one > place to do changes. > > + Creating a local user account on the client which has access to all > home directories to backup, but not more. Sounds like a big mess (or > at least a big effort) in regards to Unix file permissions. > > I currently prefer the DNS alias method (don't know yet if via > /etc/hosts or normal DNS), but would be happy to hear from others with > similar situation what ideas (and perhaps solutions) they had. > > > Second thing: > > One of our more paranoid users suggested an improvement which won't > help if the backup server itself would be compromised but will help if > the private key got outside the backup server somehow (and makes > administration harder, if the server changes): > > Using options in the authorized_keys file can dyke a key-only > compromise: The line > > from="server1.example.org" ssh-rsa AAAAB3...8z [EMAIL PROTECTED] > > would restrict the key to being used only by the host > server1.example.org. The given hostname must be the hostname in the > PTR record for the IP address the BackupPC server connects from. CNAME > records like e.g backuppc.example.org pointing to server1.example.org > won't work in most cases. > > IMHO it wouldn't be bad if this could mentioned at > http://backuppc.sourceforge.net/faq/security.html#ssh_key_security > > Second and a half thing: ;-) > > I also played around a little bit with the command="..." option. It > looks like you could use it with something like > > command="tar `cat`" and then use it from BackupPC like this: > > $Conf{TarClientCmd} = 'echo cpvf - -C $shareName+ --totals | $sshPath -q -x > -n -l root $host $tarPath'; > > And even if it doesn't look very security-wise, I haven't managed to > exploit command="echo `cat`" -- every meta character (backtick, > backslash, dollar, semicolon, line break, exclamation mark) I tried > was output literally. > > Haven't tested it yet though. And it probably won't work for any > command which uses both STDIN and STDOUT like e.g. rsync. > > > Third thing: > > Is there no IRC channel for BackupPC users? I've looked in IRCnet, > Freenode and OFTC. ChanServ seems to know about #backuppc in Freenode, > but nobody was in there. > > Kind regards, Axel Beckert > -- > Axel Beckert <[EMAIL PROTECTED]> support: +41 44 633 2668 > IT Support Group, HPR E 86.1 voice: +41 44 633 4189 > Departement Physik, ETH Zurich fax: +41 44 633 1239 > CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Register now and save $200. Hurry, offer ends at 11:59 p.m., > Monday, April 7! Use priority code J8TLD2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > BackupPC-users mailing list > [email protected] > List: https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki: http://backuppc.wiki.sourceforge.net > Project: http://backuppc.sourceforge.net/ > -- Paul Mantz http://www.mcpantz.org Zmanda - Open source backup and recovery http://www.zmanda.com/ ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ BackupPC-users mailing list [email protected] List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
