SlideShare a Scribd company logo

Using filesystem capabilities with rsync

Hazel Smith
Hazel Smith

As presented at the FLOSS UK Unconference 2015. Updated 2015-02-08: added details of caveats, primarily the fact that CAP_DAC_READ_SEARCH does exactly what it says on the tin, and covering precautions like ensuring that password authentication is *never* allowed for the backuphelper user.

Technology
1 of 20
Download to read offline
Using filesystem capabilities with rsync (or, how I learned to stop worrying and love CAP_DAC_READ_SEARCH) Hazel Smith FLOSS UK Unconference 2015 Note: Some slides added subsequent to original talk, in response to questions asked
The use case ● You want to regularly back up the entire filesystem on fileserver.example.com including all system files ● You're backing up to a remote host, backup.example.com ● You want to set it up in under an hour, and don't want to mess about installing backup agents ● You don't want your machines connecting to backup.example.com ● You don't want to create a large backup spool directory on fileserver.example.com ● You want your backups to be quick and light on network traffic
The problem Using rsync for remote backup is great, but you have two main (terrible) choices: – Key-based SSH from backup.example.com to root@fileserver.example.com – this is bad because it means your backup host has full rootly powers on every host it backs up – Key-based SSH from fileserver.example.com to root@backup.example.com – this is bad because it means every server has root on your backup host :( – Or, give up and use tarballs/filesystem dumps/...
The solution ● Have backup.example.com back up fileserver.example.com using rsync over SSH, but: – Have rsync connect to fileserver.example.com using a non-root user – we called this user “backuphelper” – Use filesystem capabilities to allow /usr/bin/rsync to inherit the specific capability required, CAP_DAC_READ_SEARCH – Use pam_cap, a PAM (pluggable authentication modules) module to grant “backuphelper” the CAP_DAC_READ_SEARCH capability, but none of the other rootly powers – Edit /etc/ssh/sshd_config on fileserver.example.com to disable password authentication for the backuphelper user
What is PAM? ● The Pluggable Authentication Modules library – Supports many auth methods, which can be added and configured easily through library packages and config files. – Examples include: ● pam_unix, which uses glibc's name service switch – commonly to authenticate against local /etc/passwd ● pam_krb5, authenticates against a Kerberos V KDC – Also supports various session/utility modules, e.g. pam_mkhomedir (creates home directory on first login) and pam_tmpdir (creates per-user tmp directories on login) – Supported on Linux, as well as Solaris, Max OS X, FreeBSD etc – Standard originally defined by Sun Microsystems in 1995
What are Linux capabilities? ● Division of the rootly powers up into separate distinct capabilities, e.g. – CAP_NET_BIND_SERVICE – bind ports <1024 – CAP_DAC_READ_SEARCH – bypass file read permission checks and directory read and execute permission checks – CAP_DAC_OVERRIDE – override all discretionary access controls on (local) filesystems – See capabilities(7) for more
Permitted, Inherited, Effective Sets * ● Permitted set – Limiting superset for the effective capabilities that the thread may assume. If a thread drops a capability from its permitted set, it can never re-acquire that capability (except by execve'ing a suid-root program, or a program whose associated file capabilities grant that capability). ● Inheritable set – Capabilities preserved across an execve(2). Provides a mechanism for a process to assign capabilities to the permitted set of the new program during an execve(2). ● Effective – Capabilities used by the kernel to perform permission checks for the thread. * Content of this slide shamelessly taken from the Linux man page, capabilities(7)
Filesystem capabilities ● Allows you to set capabilities on files, so that they gain/can inherit permissions upon execve(2)
Putting it all together ● Debian packages installed: – rsync – libcap2-bin – libpam-cap
Putting it all together ● Adding CAP_DAC_READ_SEARCH to /usr/bin/rsync: root@fileserver:~# setcap cap_dac_read_search+ei /usr/bin/rsync root@fileserver:~# ls -l /usr/bin/rsync -rwxr-xr-x 1 root root 409328 Dec 2 2012 /usr/bin/rsync root@fileserver:~# getcap /usr/bin/rsync /usr/bin/rsync = cap_dac_read_search+ei
Putting it all together ● Adding pam_cap.so to /etc/pam.d/common-auth: auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth required pam_permit.so auth required pam_cap.so
Putting it all together ● Creating the “backuphelper” user: adduser –disabled-password backuphelper ● Add SSH key to ~/.authorized_keys $ su – backuphelper $ mkdir .ssh $ echo “ssh-rsa ...” > .ssh/authorized_keys
Putting it all together ● Edit /etc/security/capability.conf ## user 'backuphelper' inherits the ## CAP_DAC_READ_SEARCH capability so that ## /usr/bin/rsync can back up the whole FS without needing ## to be run as root cap_dac_read_search backuphelper
Putting it all together ● Modify /etc/ssh/sshd_config so that the SSH daemon will not permit password authentication for the backuphelper user: Match User backuphelper PasswordAuthentication no
Putting it all together ● Add a cron job to root's crontab on backup.example.com 10 * * * * rsync -av -e 'ssh -i /root/.ssh/id_rsa_fileserverbackup' backuphelper@fileserver.example.com:/ /datapool/backups/fileserver.example.com/ --exclude={/dev/*,/proc/*,/sys/*,/tmp/*,/run/*,/mnt/*,/media/*,/lo st+found} *** It was pointed out that I should've used -x (or, “--one-file-system”) instead of a long list of –excludes
Significant caveats ● CAP_DAC_READ_SEARCH does exactly what it says on the tin – lets the process read any file, and search any directory. – This includes /etc/shadow, /etc/sudoers, /etc/my.cnf etc. – Therefore, backuphelper can do, e.g., "rsync /etc/shadow /tmp/shadow" – And the client legitimately pulling down your backups obviously has access to/copies of all of those files ● The rsync client on backup.example.com still runs as root. – A malicious host could therefore speak “bad” rsync protocol and try to compromise backup.example.com. – Special files, device files and suid/sgid files will all be faithfully recreated on backup.example.com's local disk
Conclusions ● Pros: – rsync is no longer running on fileserver.example.com as root, which is much safer than the previous configuration ● Cons: – The CAP_DAC_READ_SEARCH capability backuphelper has is still very powerful, hence the paranoia to ensure that password authentication is never allowed for that user. – This does nothing to address the rsync client running as root on backup.example.com.
Further possibilities ● Further possibilities: – Combining the rsync client on backup.example.com with fakeroot(1), run without actual rootly powers, with the -i and -s switches to preserve the faked permissions between runs – Taking filesystem snapshots on backup.example.com, after the rsync run has completed, e.g. with “zfs snapshot datapool/backups/fileserver.example.com”. (Yes, my backup server is running an OpenSolaris derivative.)
Questions?
About me What I do? ● Currently a system administrator, but previously a PostgreSQL DBA, and before that a software developer ● Director on the board of trustees at Leicester Hackspace ● Carer to two of my partners Contact details: ● hazel.smith@acm.org ● twitter.com/hazelesque ● uk.linkedin.com/in/hazels Hazel Smith

Recommended

IBM Integration Bus & WebSphere MQ - High Availability & Disaster Recovery
IBM Integration Bus & WebSphere MQ - High Availability & Disaster RecoveryIBM Integration Bus & WebSphere MQ - High Availability & Disaster Recovery
IBM Integration Bus & WebSphere MQ - High Availability & Disaster RecoveryRob Convery
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningMilind Koyande
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)Dan Wendlandt
 
Ansible Integration in Foreman
Ansible Integration in ForemanAnsible Integration in Foreman
Ansible Integration in ForemanNikhil Kathole
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleKnoldus Inc.
 
[1A7]Ansible의이해와활용
[1A7]Ansible의이해와활용[1A7]Ansible의이해와활용
[1A7]Ansible의이해와활용NAVER D2
 
Ansible 101
Ansible 101Ansible 101
Ansible 101Gena Mykhailiuta
 
VMware Site Recovery Manager
VMware Site Recovery ManagerVMware Site Recovery Manager
VMware Site Recovery ManagerJürgen Ambrosi
 

Recommended

IBM Integration Bus & WebSphere MQ - High Availability & Disaster Recovery
IBM Integration Bus & WebSphere MQ - High Availability & Disaster RecoveryIBM Integration Bus & WebSphere MQ - High Availability & Disaster Recovery
IBM Integration Bus & WebSphere MQ - High Availability & Disaster RecoveryRob Convery
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningMilind Koyande
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)Dan Wendlandt
 
Ansible Integration in Foreman
Ansible Integration in ForemanAnsible Integration in Foreman
Ansible Integration in ForemanNikhil Kathole
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleKnoldus Inc.
 
[1A7]Ansible의이해와활용
[1A7]Ansible의이해와활용[1A7]Ansible의이해와활용
[1A7]Ansible의이해와활용NAVER D2
 
Ansible 101
Ansible 101Ansible 101
Ansible 101Gena Mykhailiuta
 
VMware Site Recovery Manager
VMware Site Recovery ManagerVMware Site Recovery Manager
VMware Site Recovery ManagerJürgen Ambrosi
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchTe-Yen Liu
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeVictor Morales
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntuSim Janghoon
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsEueung Mulyana
 
주니어의 쿠버네티스 생태계에서 살아남기
주니어의 쿠버네티스 생태계에서 살아남기주니어의 쿠버네티스 생태계에서 살아남기
주니어의 쿠버네티스 생태계에서 살아남기InfraEngineer
 
DevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to KubernetesDevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to KubernetesRonny Trommer
 
Hypervisor seminar
Hypervisor seminarHypervisor seminar
Hypervisor seminar용환 노
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
OpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image LifecycleOpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image LifecycleMihai Criveti
 
Kubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayKubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayLaurent Bernaille
 
PubSub and Notifications in Ceph
PubSub and Notifications in CephPubSub and Notifications in Ceph
PubSub and Notifications in CephYuval Lifshitz
 
WebLogic FAQs
WebLogic FAQsWebLogic FAQs
WebLogic FAQsAmit Sharma
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelKernel TLV
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?Pradeep Kumar
 
Openstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetupOpenstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetupVietnam Open Infrastructure User Group
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...Simplilearn
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Jun Hong Kim
 
FUSE Filesystems
FUSE FilesystemsFUSE Filesystems
FUSE Filesystemselliando dias
 

More Related Content

What's hot

The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchTe-Yen Liu
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeVictor Morales
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntuSim Janghoon
 
주니어의 쿠버네티스 생태계에서 살아남기
주니어의 쿠버네티스 생태계에서 살아남기주니어의 쿠버네티스 생태계에서 살아남기
주니어의 쿠버네티스 생태계에서 살아남기InfraEngineer
 
DevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to KubernetesDevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to KubernetesRonny Trommer
 
Hypervisor seminar
Hypervisor seminarHypervisor seminar
Hypervisor seminar용환 노
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
OpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image LifecycleOpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image LifecycleMihai Criveti
 
Kubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayKubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayLaurent Bernaille
 
PubSub and Notifications in Ceph
PubSub and Notifications in CephPubSub and Notifications in Ceph
PubSub and Notifications in CephYuval Lifshitz
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelKernel TLV
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?Pradeep Kumar
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...Simplilearn
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 

What's hot (20)

The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs mode
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntu
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
주니어의 쿠버네티스 생태계에서 살아남기
주니어의 쿠버네티스 생태계에서 살아남기주니어의 쿠버네티스 생태계에서 살아남기
주니어의 쿠버네티스 생태계에서 살아남기
 
DevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to KubernetesDevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to Kubernetes
 
Hypervisor seminar
Hypervisor seminarHypervisor seminar
Hypervisor seminar
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
OpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image LifecycleOpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image Lifecycle
 
Kubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayKubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard way
 
PubSub and Notifications in Ceph
PubSub and Notifications in CephPubSub and Notifications in Ceph
PubSub and Notifications in Ceph
 
WebLogic FAQs
WebLogic FAQsWebLogic FAQs
WebLogic FAQs
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux Kernel
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?
 
Openstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetupOpenstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetup
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
What Is Ansible? | How Ansible Works? | Ansible Tutorial For Beginners | DevO...
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 

Similar to Using filesystem capabilities with rsync

Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Jun Hong Kim
 
Barcamp Gent 2: rsnapshot
Barcamp Gent 2: rsnapshotBarcamp Gent 2: rsnapshot
Barcamp Gent 2: rsnapshotPeter Dedecker
 
Setting up LAMP for Linux newbies
Setting up LAMP for Linux newbiesSetting up LAMP for Linux newbies
Setting up LAMP for Linux newbiesShabir Ahmad
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...NETWAYS
 
55 best linux tips, tricks and command lines
55 best linux tips, tricks and command lines55 best linux tips, tricks and command lines
55 best linux tips, tricks and command linesArif Wahyudi
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSSupercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSCloudLinux
 
Install and configure linux
Install and configure linuxInstall and configure linux
Install and configure linuxVicent Selfa
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systemsalok pal
 
Linux basic for CADD biologist
Linux basic for CADD biologistLinux basic for CADD biologist
Linux basic for CADD biologistAjay Murali
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guidejasembo
 
Power point on linux commands,appache,php,mysql,html,css,web 2.0
Power point on linux commands,appache,php,mysql,html,css,web 2.0Power point on linux commands,appache,php,mysql,html,css,web 2.0
Power point on linux commands,appache,php,mysql,html,css,web 2.0venkatakrishnan k
 

Similar to Using filesystem capabilities with rsync (20)

Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)
 
FUSE Filesystems
FUSE FilesystemsFUSE Filesystems
FUSE Filesystems
 
Barcamp Gent 2: rsnapshot
Barcamp Gent 2: rsnapshotBarcamp Gent 2: rsnapshot
Barcamp Gent 2: rsnapshot
 
Setting up LAMP for Linux newbies
Setting up LAMP for Linux newbiesSetting up LAMP for Linux newbies
Setting up LAMP for Linux newbies
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
Ch23 system administration
Ch23 system administration Ch23 system administration
Ch23 system administration
 
J+s
J+sJ+s
J+s
 
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
 
55 best linux tips, tricks and command lines
55 best linux tips, tricks and command lines55 best linux tips, tricks and command lines
55 best linux tips, tricks and command lines
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSSupercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
 
Install and configure linux
Install and configure linuxInstall and configure linux
Install and configure linux
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systems
 
Linux basic for CADD biologist
Linux basic for CADD biologistLinux basic for CADD biologist
Linux basic for CADD biologist
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Power point on linux commands,appache,php,mysql,html,css,web 2.0
Power point on linux commands,appache,php,mysql,html,css,web 2.0Power point on linux commands,appache,php,mysql,html,css,web 2.0
Power point on linux commands,appache,php,mysql,html,css,web 2.0
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
 
EPiServer Deployment Tips & Tricks
EPiServer Deployment Tips & TricksEPiServer Deployment Tips & Tricks
EPiServer Deployment Tips & Tricks
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Using filesystem capabilities with rsync

  • 1. Using filesystem capabilities with rsync (or, how I learned to stop worrying and love CAP_DAC_READ_SEARCH) Hazel Smith FLOSS UK Unconference 2015 Note: Some slides added subsequent to original talk, in response to questions asked
  • 2. The use case ● You want to regularly back up the entire filesystem on fileserver.example.com including all system files ● You're backing up to a remote host, backup.example.com ● You want to set it up in under an hour, and don't want to mess about installing backup agents ● You don't want your machines connecting to backup.example.com ● You don't want to create a large backup spool directory on fileserver.example.com ● You want your backups to be quick and light on network traffic
  • 3. The problem Using rsync for remote backup is great, but you have two main (terrible) choices: – Key-based SSH from backup.example.com to root@fileserver.example.com – this is bad because it means your backup host has full rootly powers on every host it backs up – Key-based SSH from fileserver.example.com to root@backup.example.com – this is bad because it means every server has root on your backup host :( – Or, give up and use tarballs/filesystem dumps/...
  • 4. The solution ● Have backup.example.com back up fileserver.example.com using rsync over SSH, but: – Have rsync connect to fileserver.example.com using a non-root user – we called this user “backuphelper” – Use filesystem capabilities to allow /usr/bin/rsync to inherit the specific capability required, CAP_DAC_READ_SEARCH – Use pam_cap, a PAM (pluggable authentication modules) module to grant “backuphelper” the CAP_DAC_READ_SEARCH capability, but none of the other rootly powers – Edit /etc/ssh/sshd_config on fileserver.example.com to disable password authentication for the backuphelper user
  • 5. What is PAM? ● The Pluggable Authentication Modules library – Supports many auth methods, which can be added and configured easily through library packages and config files. – Examples include: ● pam_unix, which uses glibc's name service switch – commonly to authenticate against local /etc/passwd ● pam_krb5, authenticates against a Kerberos V KDC – Also supports various session/utility modules, e.g. pam_mkhomedir (creates home directory on first login) and pam_tmpdir (creates per-user tmp directories on login) – Supported on Linux, as well as Solaris, Max OS X, FreeBSD etc – Standard originally defined by Sun Microsystems in 1995
  • 6. What are Linux capabilities? ● Division of the rootly powers up into separate distinct capabilities, e.g. – CAP_NET_BIND_SERVICE – bind ports <1024 – CAP_DAC_READ_SEARCH – bypass file read permission checks and directory read and execute permission checks – CAP_DAC_OVERRIDE – override all discretionary access controls on (local) filesystems – See capabilities(7) for more
  • 7. Permitted, Inherited, Effective Sets * ● Permitted set – Limiting superset for the effective capabilities that the thread may assume. If a thread drops a capability from its permitted set, it can never re-acquire that capability (except by execve'ing a suid-root program, or a program whose associated file capabilities grant that capability). ● Inheritable set – Capabilities preserved across an execve(2). Provides a mechanism for a process to assign capabilities to the permitted set of the new program during an execve(2). ● Effective – Capabilities used by the kernel to perform permission checks for the thread. * Content of this slide shamelessly taken from the Linux man page, capabilities(7)
  • 8. Filesystem capabilities ● Allows you to set capabilities on files, so that they gain/can inherit permissions upon execve(2)
  • 9. Putting it all together ● Debian packages installed: – rsync – libcap2-bin – libpam-cap
  • 10. Putting it all together ● Adding CAP_DAC_READ_SEARCH to /usr/bin/rsync: root@fileserver:~# setcap cap_dac_read_search+ei /usr/bin/rsync root@fileserver:~# ls -l /usr/bin/rsync -rwxr-xr-x 1 root root 409328 Dec 2 2012 /usr/bin/rsync root@fileserver:~# getcap /usr/bin/rsync /usr/bin/rsync = cap_dac_read_search+ei
  • 11. Putting it all together ● Adding pam_cap.so to /etc/pam.d/common-auth: auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth required pam_permit.so auth required pam_cap.so
  • 12. Putting it all together ● Creating the “backuphelper” user: adduser –disabled-password backuphelper ● Add SSH key to ~/.authorized_keys $ su – backuphelper $ mkdir .ssh $ echo “ssh-rsa ...” > .ssh/authorized_keys
  • 13. Putting it all together ● Edit /etc/security/capability.conf ## user 'backuphelper' inherits the ## CAP_DAC_READ_SEARCH capability so that ## /usr/bin/rsync can back up the whole FS without needing ## to be run as root cap_dac_read_search backuphelper
  • 14. Putting it all together ● Modify /etc/ssh/sshd_config so that the SSH daemon will not permit password authentication for the backuphelper user: Match User backuphelper PasswordAuthentication no
  • 15. Putting it all together ● Add a cron job to root's crontab on backup.example.com 10 * * * * rsync -av -e 'ssh -i /root/.ssh/id_rsa_fileserverbackup' backuphelper@fileserver.example.com:/ /datapool/backups/fileserver.example.com/ --exclude={/dev/*,/proc/*,/sys/*,/tmp/*,/run/*,/mnt/*,/media/*,/lo st+found} *** It was pointed out that I should've used -x (or, “--one-file-system”) instead of a long list of –excludes
  • 16. Significant caveats ● CAP_DAC_READ_SEARCH does exactly what it says on the tin – lets the process read any file, and search any directory. – This includes /etc/shadow, /etc/sudoers, /etc/my.cnf etc. – Therefore, backuphelper can do, e.g., "rsync /etc/shadow /tmp/shadow" – And the client legitimately pulling down your backups obviously has access to/copies of all of those files ● The rsync client on backup.example.com still runs as root. – A malicious host could therefore speak “bad” rsync protocol and try to compromise backup.example.com. – Special files, device files and suid/sgid files will all be faithfully recreated on backup.example.com's local disk
  • 17. Conclusions ● Pros: – rsync is no longer running on fileserver.example.com as root, which is much safer than the previous configuration ● Cons: – The CAP_DAC_READ_SEARCH capability backuphelper has is still very powerful, hence the paranoia to ensure that password authentication is never allowed for that user. – This does nothing to address the rsync client running as root on backup.example.com.
  • 18. Further possibilities ● Further possibilities: – Combining the rsync client on backup.example.com with fakeroot(1), run without actual rootly powers, with the -i and -s switches to preserve the faked permissions between runs – Taking filesystem snapshots on backup.example.com, after the rsync run has completed, e.g. with “zfs snapshot datapool/backups/fileserver.example.com”. (Yes, my backup server is running an OpenSolaris derivative.)
  • 20. About me What I do? ● Currently a system administrator, but previously a PostgreSQL DBA, and before that a software developer ● Director on the board of trustees at Leicester Hackspace ● Carer to two of my partners Contact details: ● hazel.smith@acm.org ● twitter.com/hazelesque ● uk.linkedin.com/in/hazels Hazel Smith