The approach is similar to that of NFS. On tarpool, a folder can be exposed as a server. We’ll assume the following lines in smb.conf:
[jdbackup]
path = /backup/jd browseable = no force user = jdbackup hosts allow = jd hosts deny = ALL username = jdbackup security mask = 0700 |
This set up assumes there is an account called jdbackup on tarpool. Furthermore, it also assumes the ownership of /backup/jd is set to jdbackup:jdbackup, with permissions set to 700. smbpasswd should be used to set up the SMB password for jdbackup on tarpool. The global options should set to encrypt passwords, and use user security.
It is important to set up hosts allow and hosts deny for all the shares on tarpool. The share of each server should be visible only to the server (being backed up). This makes sure that even if jd is compromised, the backup archives of other servers (also stored on tarpool) will not be exposed. As an additional assurance, each server to be backed up should have different account set up to represent it. This way, we have one additional protection based on file permissions and ownerships on tarpool to ensure one compromised system cannot lead to the leak of back up data from other servers.
On jd, care must be taken not to expose the password for mounting the remote volume. It is a bad idea to use a command like the following in an automated script:
mount //tarpool/jdbackup /backup -ousername=jdbackup,password=nosecret,fmask=0700,dmask=0700
|
Even if this script is fully protected (root as owner, 700 as permissions), it is still not 100% secure. Why? It is because the command ps can display all options (arguments) of a command line. If a malicious user is patient enough, he/she can write a problem to log all commands (with all the arguments) periodically. The chances of catching the mount command can be slim, but it is there. The exposure risk increases as the load of the system increases, or when the network is busy.
Instead of including the username and password in the command itself, do the following instead:
mount //tarpool/jdbackup /backup -ousername=‘cat /root/backupusername‘,password=‘cat /root/backuppassword‘,fmask=0700,dmask=0700
|
The backquotes are expanded as the command is interpreted by the shell. Of course, this means that you need to have the files /root/backupusername and /root/backuppassword set up. These two file must be protected so that the ownership is root:root and the permissions are 0300. This way, even if the command line can be “sniffed” by a program watching results of ps, the actual username and password are protected by the file system.
Also, never forget to use fmask and dmask to limit the permissions of files and directories (respectively) of files of //tarpool/jdbackup as exposed on jd.