LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-28-2005, 12:58 PM   #1
evank
LQ Newbie
 
Registered: Jan 2005
Location: USA
Posts: 20

Rep: Reputation: 0
creating a secure ftp-based backup account?


i'm scripting a backup process for a series of servers, where one server (the "backup server") will ftp into all other servers and grab files for backing up to tape on a scheduled regular basis.

now, we have two (debian 3.1) linux servers and a windows 2003 server, and on the win2k3, i created a user with total read access and no write access. as well, this ftp account is restricted to one static ip (that of the backup server).

i'd like to do the equivalent on the debian linux servers, to create a user account with read access to all files (can ftp in and GET any files owned by any user), but no write access (can't SEND or modify any files). and if possible, I'd like to restrict ftp access under this specific user account to a single static ip. (we're using ProFTPD 1.2.10 Server on the debian)

the problem is, i'm thoroughly versed in windows, but not so much in linux, and so i'd greatly appreciate any help given.
 
Old 11-29-2005, 06:10 AM   #2
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 277

Rep: Reputation: 32
How about this:
Create a mere mortal linux user. he will have read-write access to his home folder. Have him execute the script for calling up ftp and store them in his home folder. This should improve system security, even if your script poses a security thread.
You automatically get the access rights of the user name you use to login. If user foo on the Win2k3 machine kan only read a file, so will everybody loging in as foo. So if your script logs into the ftp service as foo (call the user foo as well, for convinience), the access problem would be solved on both backup server and Win2k3.
I'm not really mean what you mean with "a single, static IP" though. The backup server should have a static IP or the server can only contact a specific IP? Or is the user only able to contact that one IP while the rest of the system can do what it wants?
 
Old 11-29-2005, 12:51 PM   #3
evank
LQ Newbie
 
Registered: Jan 2005
Location: USA
Posts: 20

Original Poster
Rep: Reputation: 0
the script is running remotely. I need it (the remote script) to be able to ftp into this debian server and have read access to ALL files and directories. it will then copy all these files to a remote machine via FTP.

the only way i know of to guarantee total access is by making the user a member of the root group, which I imagine is a HUGE security hole. hence why I'm asking if theres a way to gaurantee total read access to a user account of ALL files and dirs without leaving the front door open.
 
Old 11-30-2005, 01:44 AM   #4
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 277

Rep: Reputation: 32
I see.
You are right, the only way to read ALL files is to be root or at least to bear a root groupuid. However the data that is for root use only is minimal (mostly lost&found's and /etc). I would encourage you to limit the files that need to be backuped to those really necessary (like home folders or libs), unless of course the root is used to altering system setting in /etc on a daily basis...
If you need to back up some more sensitive material like /etc ssh keyrings, do it on a local scale as root and then download the backup via ftp. Do this only after important (and functional) changes.

If you create a ftp acount for a user bearing root rights or even being root, I would advise you to use secure ftp.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
creating a secure ftp server with chrooting MisterESauce Linux - Networking 6 04-07-2005 12:22 PM
creating a secure certificate dominant Linux - Security 7 01-28-2005 10:44 AM
Secure Backup to RH9 from RH9 or Windows using secured FTP funaroma Linux - General 7 01-03-2005 09:36 AM
How to set up user account (secure email) . . . zthomasz Linux - Newbie 0 05-09-2004 12:47 PM
Creating Secure SMB Connections scottpioso Linux - Networking 17 12-03-2003 09:07 AM


All times are GMT -5. The time now is 08:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration