bareos-fd client limit access to files

42 views
Skip to first unread message

Spiros Papageorgiou

unread,
Nov 23, 2019, 10:37:35 AM11/23/19
to bareos-users
Hi all,

I have a linux machine that produces some data that I want to backup. I want to use a centralized backup service (based on bareos) that I have access to. So, they told me to install bareos-fd and tell them which files, I want them to backup.

My problem is that I would like to limit the files that bareos-fd has access to, because the centralized backup service has potentialy the capability of backing up all the files of my linux , which is something i don't want.

So, Can i limit the access of bareos-fd to a specific set of files on my linux server?

Thanx,
Sp

Jörg Steffens

unread,
Nov 23, 2019, 11:23:34 AM11/23/19
to bareos...@googlegroups.com
On 23.11.19 at 16:37 wrote Spiros Papageorgiou:
Typically, this is solved in another way. If you use
https://docs.bareos.org/master/TasksAndConcepts/DataEncryption.html, the
Bareos Director can still retrieve all files, but all the backup data
will be encrypted before it is transferred to the server and only you
client can deencrypt it. (the content of the files is encrypted.
Meta-data like filenames and timestamps are still readable.)

Alternately, the bareos-fd normally runs as root to get access to all
files. You can run it as another user and therefore the bareos-fd can
only access the files accessible by that user.

In any case, you should also disable or at least limit run scripts, as
otherwise the admin can retrieve data with these scripts. Also Plugins
should be disabled or restricted.
So take a look at
https://docs.bareos.org/master/Configuration/FileDaemon.html

* Allowed Job Command
* Allowed Script Dir
* Plugin Directory
* Plugin Names

Regards,
Jörg

--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10

Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz

Spiros Papageorgiou

unread,
Nov 23, 2019, 11:57:22 AM11/23/19
to bareos-users
Thanx for the clear answer!

In any case it would be a nice feature to be able to control which files are allowed to be backed up, by the bareos-fd.

Sp 
 Jörg Steffens                   joerg....@bareos.com

Spadajspadaj

unread,
Nov 23, 2019, 12:14:46 PM11/23/19
to bareos-users

I'd add a thing or two to Jörg's answer.

Firstly, if you don't trust the backup provider, the whole backup setup is highly questionable. Remember that even though you can encrypt the file contents, you keep the filenames in clear text in the database, so there is at least a vector of enumeration of files on your system which could potentially lead to abuse.

You can however make a formal agreement (which is out of technical scope of bareos itself) with the backup provider that limits the backup job only to specific files. But to be able to verify whether the backup provider keeps to its end of the deal you can configure logging on the filedaemon so you have some kind of accounting.

Thirdly, running bareos-fd as a non-root user can have its drawbacks in terms of file access. As an alternative you could try using SELinux and creating specific policy which allows backups of only selected files but it will probably be complicated and error-prone.

MK

--
You received this message because you are subscribed to the Google Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/7e76b38b-e2f6-48e4-8980-96d730353e0c%40googlegroups.com.

Andreas Rogge

unread,
Nov 25, 2019, 4:48:54 AM11/25/19
to bareos...@googlegroups.com
Am 23.11.19 um 16:37 schrieb Spiros Papageorgiou:
> So, Can i limit the access of bareos-fd to a specific set of files on my
> linux server?
All standard measures apply: You can use Discretionary Access Control
(standard Unix permissions) and Mandatory Access Control (e.g. SELinux)
to do this.
Basically you run bareos-fd with a non-root account and give it
permission to do what you want it to do just like every other service.

You also need to consider that bareos-fd in the default setup cannot
only read every file on your system, but also write to every file on
your system (including its own configuration) which makes it possible
overwrite the bareos-fd configuration from the director if you didn't
plan your setup thoroughly.

Best Regards,
Andreas
--
Andreas Rogge andrea...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221-630693-86
http://www.bareos.com

Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer: S. Dühr, M. Außendorf, J. Steffens, Philipp Storz

signature.asc
Reply all
Reply to author
Forward
0 new messages