Discussion:
[rsnapshot-discuss] mount read only question
Thiep Duong
2016-03-05 00:33:41 UTC
Permalink
I'm new user on rsnapshot-discuss group, and hope someone can help to
answer this.

I have a local dis mounted  (/etc/fstab)
/dev/sdb1   /snapshot ext4   default  0 0
/snapshot   /root/snapshot   none bind 0 0
127.0.0.1:/root/snapshot   /backup   nfs   ro,soft,intr   0 0

the /root/snapshot is exported to other system to be mount as read-ony
(/backup)

Problem I have is that local user can go into /snapshot and able to
write/modify data in there.
If I mount /dev/sdb1   /snapshot  ext4 ro   (read-only), then
even root cannot write to it.

Question:  how to properly protect this?

You can tell me if there is correct way to set up on your side.  And
Thanks in advance

Anthony
Nico Kadel-Garcia
2016-03-05 01:45:07 UTC
Permalink
I'm new user on rsnapshot-discuss group, and hope someone can help to answer
this.
I have a local dis mounted (/etc/fstab)
/dev/sdb1 /snapshot ext4 default 0 0
/snapshot /root/snapshot none bind 0 0
127.0.0.1:/root/snapshot /backup nfs ro,soft,intr 0 0
the /root/snapshot is exported to other system to be mount as read-ony
(/backup)
Problem I have is that local user can go into /snapshot and able to
write/modify data in there.
If I mount /dev/sdb1 /snapshot ext4 ro (read-only), then even root
cannot write to it.
Question: how to properly protect this?
You can tell me if there is correct way to set up on your side. And Thanks
in advance
Anthony
You mean a local user on on your rsnapshot server? Don't let local
users log in: it's a backup server. This is also why rsnapshot is not
ideal for archival backup: it's too easy to corrupt the backup.

Alternatively, you can reduce the window of opportunity by mounting a
relevant partition "read-only" only while snapshots are in progress.

Also alternatively, you can put "/root/snapshot" under
"/snapshot/[rsnapshotserver]/ and setting "/snapshot" to be permission
700, so non-root users can't descend the subdirectory, and exporting
the NFS subdirectory or subdirectories appropriately. That would force
local users on the rsnapshot server to access them locally via a
read-only NFS mount, but that's not too large a performance hit.

Alternatively, you could play with SELinux or NFSv4, but I suspect
you'd hurt yourself if you went to those approaches.

------------------------------------------------------------------------------
Thiep Duong
2016-03-05 04:43:11 UTC
Permalink
 Hi Nico,
Thanks for replying so quickly.We don't have dedicated backup server,
so I have to share system with user.Writing a wrapper to mount
/snapshot then do snap, then unmount it when it's done,sounds OK, but
it may not doable because i also do hourly snap, so the mounted timeis
very much available for user to get access to.
Chmod 700 doesn't work:# chmod 755 /snapshot
EDAcs2  /home/cadmin cd /snapshot/snapshot: Permission denied.    
Loading...