librelist archives

« back to archive

Isolation between different hosts pushing backups to a central host with repositories

Isolation between different hosts pushing backups to a central host with repositories

From:
Petros Moisiadis
Date:
2014-03-06 @ 19:22
A common scenario is that you have a number of hosts, let's call them
clients, with each one backing up its data to a dedicated (for that
host) remote repository on a central host, let's call it 'server'. What
is the best way to isolate one client from the other so that a client
cannot access (read, write, delete, etc.) the repositories of the
others? Is there a better way than creating a different account on the
server for each client?

Re: [attic] Isolation between different hosts pushing backups to a central host with repositories

From:
Jonas Borgström
Date:
2014-03-06 @ 19:35
On 2014-03-06 20:22, Petros Moisiadis wrote:
> A common scenario is that you have a number of hosts, let's call them
> clients, with each one backing up its data to a dedicated (for that
> host) remote repository on a central host, let's call it 'server'. What
> is the best way to isolate one client from the other so that a client
> cannot access (read, write, delete, etc.) the repositories of the
> others? Is there a better way than creating a different account on the
> server for each client?

Right now a separate user account for each client is probably the best
approach.

You can also use the ssh forced command feature to make sure the client
can only run attic and nothing else. Just put the following prefix into
the accounts .ssh/authorized_keys:

command="/usr/bin/attic serve" ssh-rsa XXXXXXXXX

In the future we could support something like this:

command="/usr/bin/attic serve --restrict-to /some/path" ssh-rsa XXXXXXXXX

That would restrict the repository access to a certain directory. But a
separate user account for each client will always be the most secure option.

/ Jonas

Re: [attic] Isolation between different hosts pushing backups to a central host with repositories

From:
Dan Christensen
Date:
2014-03-06 @ 19:47
Jonas Borgström <jonas@borgstrom.se> writes:

> On 2014-03-06 20:22, Petros Moisiadis wrote:
>> A common scenario is that you have a number of hosts, let's call them
>> clients, with each one backing up its data to a dedicated (for that
>> host) remote repository on a central host, let's call it 'server'. What
>> is the best way to isolate one client from the other so that a client
>> cannot access (read, write, delete, etc.) the repositories of the
>> others? Is there a better way than creating a different account on the
>> server for each client?
>
> Right now a separate user account for each client is probably the best
> approach.

Attic's encryption feature partially achieves this, but still allows one
client to destroy another client's data (but not read it).  I agree that
separate accounts is probably the best approach.

Dan

Re: [attic] Isolation between different hosts pushing backups to a central host with repositories

From:
Petros Moisiadis
Date:
2014-03-07 @ 12:31
On 03/06/14 21:47, Dan Christensen wrote:
> Jonas Borgström <jonas@borgstrom.se> writes:
>
>> On 2014-03-06 20:22, Petros Moisiadis wrote:
>>> A common scenario is that you have a number of hosts, let's call them
>>> clients, with each one backing up its data to a dedicated (for that
>>> host) remote repository on a central host, let's call it 'server'. What
>>> is the best way to isolate one client from the other so that a client
>>> cannot access (read, write, delete, etc.) the repositories of the
>>> others? Is there a better way than creating a different account on the
>>> server for each client?
>> Right now a separate user account for each client is probably the best
>> approach.
> Attic's encryption feature partially achieves this, but still allows one
> client to destroy another client's data (but not read it).  I agree that
> separate accounts is probably the best approach.
>
> Dan

I have not yet played with encrypted repositories. Is encryption also
applied on metadata? I guess it is not possible to run attic commands
(e.g 'attic prune') on an encrypted repositories without having the
key/passphrase, right?
If the above is true, then a combination of encryption + restricting ssh
to 'attic serve' command, might offer an accepted level of isolation,
without the overhead of maintaining separate accounts.

Re: [attic] Isolation between different hosts pushing backups to a central host with repositories

From:
Jonas Borgström
Date:
2014-03-07 @ 14:07
On 2014-03-07 13:31, Petros Moisiadis wrote:
> On 03/06/14 21:47, Dan Christensen wrote:
>> Jonas Borgström <jonas@borgstrom.se> writes:
>>
>>> On 2014-03-06 20:22, Petros Moisiadis wrote:
>>>> A common scenario is that you have a number of hosts, let's call them
>>>> clients, with each one backing up its data to a dedicated (for that
>>>> host) remote repository on a central host, let's call it 'server'. What
>>>> is the best way to isolate one client from the other so that a client
>>>> cannot access (read, write, delete, etc.) the repositories of the
>>>> others? Is there a better way than creating a different account on the
>>>> server for each client?
>>> Right now a separate user account for each client is probably the best
>>> approach.
>> Attic's encryption feature partially achieves this, but still allows one
>> client to destroy another client's data (but not read it).  I agree that
>> separate accounts is probably the best approach.
>>
>> Dan
> 
> I have not yet played with encrypted repositories. Is encryption also
> applied on metadata? I guess it is not possible to run attic commands
> (e.g 'attic prune') on an encrypted repositories without having the
> key/passphrase, right?

Yes, every single bit is encrypted.

> If the above is true, then a combination of encryption + restricting ssh
> to 'attic serve' command, might offer an accepted level of isolation,
> without the overhead of maintaining separate accounts.

Unfortunately not, it's possible to create a custom attic client that
would be able to delete/destroy a repository without having access to
the encryption keys. You don't need to be able to decrypt data to be
able to delete it.

/ Jonas

Re: [attic] Isolation between different hosts pushing backups to a central host with repositories

From:
Petros Moisiadis
Date:
2014-03-07 @ 14:54
On 03/07/14 16:07, Jonas Borgström wrote:
> On 2014-03-07 13:31, Petros Moisiadis wrote:
>> If the above is true, then a combination of encryption + restricting ssh
>> to 'attic serve' command, might offer an accepted level of isolation,
>> without the overhead of maintaining separate accounts.
> Unfortunately not, it's possible to create a custom attic client that
> would be able to delete/destroy a repository without having access to
> the encryption keys. You don't need to be able to decrypt data to be
> able to delete it.
>
> / Jonas
>
>

Since the process that makes direct changes on repositories is the
'attic serve' process, it seems to be possible to add a message
authentication step so that 'attic serve' is restricted to operate only
on the repository for which the (malicious) client process has the
encryption key / passphrase. Unencrypted repositories would still be
unprotected, of course, but, hey, they are unencrypted after all. Am I
right?

Re: [attic] Isolation between different hosts pushing backups to a central host with repositories

From:
Jonas Borgström
Date:
2014-03-07 @ 15:09
On 2014-03-07 15:54, Petros Moisiadis wrote:
> On 03/07/14 16:07, Jonas Borgström wrote:
>> On 2014-03-07 13:31, Petros Moisiadis wrote:
>>> If the above is true, then a combination of encryption + restricting ssh
>>> to 'attic serve' command, might offer an accepted level of isolation,
>>> without the overhead of maintaining separate accounts.
>> Unfortunately not, it's possible to create a custom attic client that
>> would be able to delete/destroy a repository without having access to
>> the encryption keys. You don't need to be able to decrypt data to be
>> able to delete it.
>>
>> / Jonas
>>
>>
> 
> Since the process that makes direct changes on repositories is the
> 'attic serve' process, it seems to be possible to add a message
> authentication step so that 'attic serve' is restricted to operate only
> on the repository for which the (malicious) client process has the
> encryption key / passphrase. Unencrypted repositories would still be
> unprotected, of course, but, hey, they are unencrypted after all. Am I
> right?

When encryption is enabled 'attic serve' is not trusted with any
unencrypted data, passphrases or encryption keys. A remote repository is
pretty much just a transactional key value store. It just processes a
series of GET, PUT, DELETE and COMMIT commands. This means all data is
secured before leaving the client.

As I said before adding an option to "attic serve" that would restrict
the the repository access to a specified repository or at least a
specific folder would work for you, as long as there are no bugs in the
code at least :)

For example something like this is /home/attic/.ssh/authorized_keys

command="attic serve --restrict-to-path /data/clientA" ssh-rsa clientA's key
command="attic serve --restrict-to-path /data/clientB" ssh-rsa clientB's key


/ Jonas