Guillermo Rozas wrote at about 22:36:50 -0300 on Monday, March 21, 2022: > > > > > I don't think backuppc uses sudo. You should enable root access > > > "without-password" in your sshd.conf, then set up backuppc to use a key > > > to SSH in as root. > > > > I would consider that configuration (SHH for root with a passwordless key) > a VERY VERY dangerous configuration. >
The poster is not saying no password, I think he/she is just saying use an unencrypted private ssh key... There are some things you can do to *partially* harden the situation, While this might be particularly dangerous, but if you are going to backup a machine fully then you will need at least root-like read access to all the files on that machine. Things to consider include: 1. Use sudo for the backuppc login user (say: 'backuppclogin') restricted only to the specific 'backuppclogin' user and the /usr/bin/rsync string that is sent by backing up backuppclogin ALL=NOPASSWD: /usr/bin/rsync --server --sender -slHogDtpAXrxe.iLsf, /usr/bin/rsync --server --sender -slHogDtpAXrcxe.iLsf (note: this is not perfect as you still are able to read *everything* root can and there might be ways to overload the above strings to get even more access) 2. Use ssh-agent so that you can use an ssh-key with password though you will need to add the key to the backuppc user keychain 3. I'm sure there are other things you can do with SELinux, ACLs etc to be more restrictive of privileges... Would be good to hear what others do here... _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
