bupstash
bupstash copied to clipboard
andrewchambers
Privilege separation
Thanks very much for bupstash -- it is almost exactly the backup solution I have been looking for! Of course, like any random person on the internet, I can't help making a suggestion that you spend your time on a feature that I would like to see: privilege separation (e.g. as in OpenSSH). I wondered if it would be possible to split apart the "read the file system" part of the program (which, in general, needs root privileges) from most of the other parts -- in particular anything which deals with network traffic? This would mean that very little of the code would need to be run as root, which would make bupstash even more solid in my opinion!
Thanks again for the program -- and please treat this request as that of someone who is hoping for icing on the cake despite knowing that he deserves no such thing!
Technically this already exists, all you really need to do is set you BUPSTASH_REPOSITORY_COMMAND to a command like su to drop privs.
Here is what I do for my local backups:
export BUPSTASH_REPOSITORY_COMMAND='su - backups -c "bupstash serve /mnt/external/bupstash"'
I think to avoid running ssh as root you could certainly do something similar by changing it to:
export BUPSTASH_REPOSITORY_COMMAND='su - backups -c "ssh someserver.com bupstash serve /path/to/repo"'
This would avoid most protocol parsing as root, for the remaining work, there is some parsing of the bupstash IPC protocol, but I think the threats are largely mitigated by using rust, which makes exploiting such a system much harder. All that being said, I am always open to improving things further.
Thanks, this certainly looks like an improvement, although I think you're suggesting that "more" privilege separation might be possible?
Just to confirm that:
BUPSTASH_REPOSITORY_COMMAND="doas -u backup ssh <server> \"bupstash serve <repo>\""
works fine on OpenBSD (and I imagine your su variant for non-OpenBSD probably works well too!) for running ssh as non-root.