On 07/09/16 16:20, Austin S. Hemmelgarn wrote: > I should probably add to this that you shouldn't be accepting > send/receive data streams from untrusted sources anyway. While it > probably won't crash your system, it's not intended for use as something > like a network service. If you're sending a subvolume over an untrusted > network, you should be tunneling it through SSH or something similar, > and then using that to provide source verification and data integrity > guarantees, and if you can't trust the system's your running backups > for, then you have bigger issues to deal with.
In my personal case I'm not talking about accepting streams from untrusted sources (although that is also a perfectly reasonable question to discuss). My concern is if one of my (well managed and trusted but never perfect) systems is hacked, can the intruder use that as an entry to attack others of my systems? In particular, I never trust my systems which live on the internet with automated access to my personal systems (without a human providing additional passwords/keys) although I do allow some automated accesses the other way around. I am trying to determine if sharing btrfs-send-based backups would open a vulnerability. There are articles on the web suggesting that centralised btrfs-send-based backups are a good idea (using ssh access with separate keys for each system which automatically invoke btrfs-receive into a system-specific path). My tests so far suggest that this may not be as secure as the articles imply. In any case, I think this is a topic worth investigating further, if any graduate student is looking for a PhD topic! -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
