[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] Biggest nightmare
|
From: |
Edgar Soldin |
|
Subject: |
Re: [Duplicity-talk] Biggest nightmare |
|
Date: |
Sun, 31 May 2009 12:13:39 +0200 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090302 Thunderbird/2.0.0.21 Mnenhy/0.7.5.0 |
Didn't know that. Pretty sure you are welcome to deliver patches ...
regards ede
--
> Edgar Soldin a écrit :
>
>> could you clear that up for me? ..ede
>>
>
> Suppose you wanted to implement my solution, that is, protect the
> backups, by only allowing create new file, read and list operations.
> Currently, duplicity uses both SFTP and SCP for the „ssh://” URL, which
> would mean that you would have to implement both a restricted SFTP and a
> restricted SCP server.
>
> In order reduce the effort of coding such a restricted server, I propose
> creating a „pure” SFTP backend.
>
>
>>> Edgar Soldin a écrit :
>>>
>>>
>>>> A backup repository pulling the backups from the duplicity host seems
>>>> easier to setup to me.
>>>> Why would you want a pure sftp backend?
>>>>
>>>>
>>> So that you only need to write a resticted SFTP server, without having
>>> to write a restricted SCP server.
>>>
>>>
>>>
>>>> ... ede
>>>>
>>>>
>>>>> I would like to add another idea and know what you're thinking about it.
>>>>> Everything duplicity needs for „normal” backup operations is to list
>>>>> files, read files and create new (non-existing) files. So I thought
>>>>> about creating a restricted SFTP server, which would allow exactly these
>>>>> three operations. Then an evil attacker could not compromise backups.
>>>>>
>>>>> A user who has an SSH account on a backup host, would use two keys:
>>>>> a) not-password-protected, restricted to SFTP
>>>>> b) password-protected, restricted to backup maintainance, which he
>>>>> should actually *never* use
>>>>>
>>>>> Unfortunately, I could not find any Restricted SFTP server, but writing
>>>>> a paramiko-based one should not be too difficult. Also, duplicity does
>>>>> not currently have a „pure” SFTP backend, but again, this should be
>>>>> piece of cake.
>>>>>
>>>>> So, what do you think?
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Duplicity-talk mailing list
>>>>> address@hidden
>>>>> http://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Duplicity-talk mailing list
>>>> address@hidden
>>>> http://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>>
>>>>
>>> _______________________________________________
>>> Duplicity-talk mailing list
>>> address@hidden
>>> http://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>
>>>
>>
>> _______________________________________________
>> Duplicity-talk mailing list
>> address@hidden
>> http://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>
>
>
>
> _______________________________________________
> Duplicity-talk mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/duplicity-talk
>
- [Duplicity-talk] Biggest nightmare, Cristian KLEIN, 2009/05/30
- Re: [Duplicity-talk] Biggest nightmare, Kenneth Loafman, 2009/05/30
- Re: [Duplicity-talk] Biggest nightmare, Cristian KLEIN, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare, Edgar Soldin, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare, Cristian KLEIN, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare, Edgar Soldin, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare, Cristian KLEIN, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare,
Edgar Soldin <=
- Re: [Duplicity-talk] Biggest nightmare, Cristian KLEIN, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare, Sieker Adi Jörg, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare, Sieker Adi Jörg, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare, rsync.net, 2009/05/31
- Re: [Duplicity-talk] Biggest nightmare, Cristian KLEIN, 2009/05/31
Re: [Duplicity-talk] Biggest nightmare, Edgar Soldin, 2009/05/30
Re: [Duplicity-talk] Biggest nightmare, Robin Smidsrød, 2009/05/30