Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i'm scripting a backup process for a series of servers, where one server (the "backup server") will ftp into all other servers and grab files for backing up to tape on a scheduled regular basis.
now, we have two (debian 3.1) linux servers and a windows 2003 server, and on the win2k3, i created a user with total read access and no write access. as well, this ftp account is restricted to one static ip (that of the backup server).
i'd like to do the equivalent on the debian linux servers, to create a user account with read access to all files (can ftp in and GET any files owned by any user), but no write access (can't SEND or modify any files). and if possible, I'd like to restrict ftp access under this specific user account to a single static ip. (we're using ProFTPD 1.2.10 Server on the debian)
the problem is, i'm thoroughly versed in windows, but not so much in linux, and so i'd greatly appreciate any help given.
How about this:
Create a mere mortal linux user. he will have read-write access to his home folder. Have him execute the script for calling up ftp and store them in his home folder. This should improve system security, even if your script poses a security thread.
You automatically get the access rights of the user name you use to login. If user foo on the Win2k3 machine kan only read a file, so will everybody loging in as foo. So if your script logs into the ftp service as foo (call the user foo as well, for convinience), the access problem would be solved on both backup server and Win2k3.
I'm not really mean what you mean with "a single, static IP" though. The backup server should have a static IP or the server can only contact a specific IP? Or is the user only able to contact that one IP while the rest of the system can do what it wants?
the script is running remotely. I need it (the remote script) to be able to ftp into this debian server and have read access to ALL files and directories. it will then copy all these files to a remote machine via FTP.
the only way i know of to guarantee total access is by making the user a member of the root group, which I imagine is a HUGE security hole. hence why I'm asking if theres a way to gaurantee total read access to a user account of ALL files and dirs without leaving the front door open.
I see.
You are right, the only way to read ALL files is to be root or at least to bear a root groupuid. However the data that is for root use only is minimal (mostly lost&found's and /etc). I would encourage you to limit the files that need to be backuped to those really necessary (like home folders or libs), unless of course the root is used to altering system setting in /etc on a daily basis...
If you need to back up some more sensitive material like /etc ssh keyrings, do it on a local scale as root and then download the backup via ftp. Do this only after important (and functional) changes.
If you create a ftp acount for a user bearing root rights or even being root, I would advise you to use secure ftp.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.