User Tools

Site Tools


hints_tips:untrusted_director_-_nix_solution

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
hints_tips:untrusted_director_-_nix_solution [2009/03/10 16:06]
jzeeff created
hints_tips:untrusted_director_-_nix_solution [2009/03/15 13:30] (current)
jzeeff
Line 1: Line 1:
 +===== Untrusted Director =====
  
 I ran into a situation where the director and storage systems weren'​t trusted by the fd client. ​ Ie, some of the data on the client should not be available to the director. ​ Nor should the director have rights to create or delete critical files on the client. I ran into a situation where the director and storage systems weren'​t trusted by the fd client. ​ Ie, some of the data on the client should not be available to the director. ​ Nor should the director have rights to create or delete critical files on the client.
Line 4: Line 5:
 The approach I took was to: The approach I took was to:
  
-1) create a chroot environment to run the bacula fd client in +  - create a chroot environment to run the bacula fd client in.  The bacula client does not run as root. 
-2) create a cron script to copy the files that need to be backed up into the chroot area.  This script uses gpg to encrypt and compress the files.+  ​- ​create a cron script to copy the files that need to be backed up into the chroot area.  This script uses gpg to encrypt and compress the files before copying. 
  
 The result is that bacula is used to backup selected files without trusting the bacula system. ​ File names are still exposed but I wasn't concerned about that. The result is that bacula is used to backup selected files without trusting the bacula system. ​ File names are still exposed but I wasn't concerned about that.
  
 +<​code>​
 +#!/bin/bash
 +
 +# compress and encrypt files and then copy to a directory where bacula will get them
 +# don't update files that haven'​t changed. ​ Not recursive.
 +
 +DIR=/​u2/​chroot/​bacula/​data
 +export DIR
 +
 +cd xxx
 +
 +for i in *
 +do
 +   if test -f "​$i"​
 +   then
 +      if test -f "​$DIR/​$i"​ -a  "​$DIR/​$i"​ -nt "​$i"​
 +      then
 +         :
 +      else
 +          gpg --compress-algo bzip2 --passphrase xxxxxxxxx --no-use-agent -c  < "​$i"​ > "​$DIR/​$i"​
 +      fi
 +   fi
 +done
  
 +</​code>​
  
  
hints_tips/untrusted_director_-_nix_solution.1236701206.txt.gz · Last modified: 2009/03/10 16:06 by jzeeff