Comment on How do you protect a remote backup from a compromised account?
HelloRoot@lemy.lol 3 weeks ago
I think you could do it somewhat like hetzter does for their storage boxes. You get an account that has read and write access to a directory and nothing outside. The accound can only run a limited set of commands, like ls, cat, nano, rsync etc. but has no access to commands that modify the filesystem.
Then you can use a copy on write fs like btrfs and make scheduled staggered snapshots.
I usually do 1x per year, 1x per month of current year, 4 per week of current montg, 7 per day in current week.
groet@feddit.org 3 weeks ago
Nano and rsync are 100% designed to modify the filesystem. But yes the idea is correct.
Same with got over ssh, you restrict the connection to the got shell that can only do the things you want.
HelloRoot@lemy.lol 3 weeks ago
Are they? I thought they only write/modify/delete data to the fs, not change the fs itself.
groet@feddit.org 3 weeks ago
Yeah precice phrasing ia hard sometime. I was refering to delete/modify of files as “changes to the fs”. Not sure how changing the actuall fs would be relevant to the backup question.
OP needs a restricted shell that can take backup data and write it to disk but not be able to modify anything that is already there. Nano and rsync can both do that.
HelloRoot@lemy.lol 3 weeks ago
OP asked:
So I was thinking that the account should not be able to delete the filesystem in an unrecoverable way. Like overriding the current fs with random data or an encrypted fs and filling it etc.
Like I said on a Hetzner storage box, multiple users get access to the same system, but each one only has file editing commands, not fs editing and they can only access their assigned directory. So if the system does scheduled snapshots, there is no way for a user to delete the files beyond recoverability.