DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st December 2014
raindog308 raindog308 is offline
Fdisk Soldier
 
Join Date: Sep 2011
Posts: 66
Question How to Set Directory Perms: Can Create, But Cannot Delete?

Is there a way to create a directory such that users can create files, but once created, the files are immutable by non-root? chflags seems to almost but not quite support this.

Here is what I'm trying to do:

system A: a web server
system B: a backup server

Nightly, system A sends its backups to system B via scp or sftp (using a non-privileged user's credentials). Once on system B, the files cannot be modified or delete by that user. If system A is every compromised, the attacker can't nuke the backups as well. The files are available to be scp/sftp'd back to system A if needed. Periodically, a job on system B tidies the directory by removing old backups.

Of course, there are other approaches: I could run the backups at 1am and then have a cron job on system B that moves them to an inaccessible place at 2am, or changes permissions on them, etc. I don't know if OpenBSD has support for directory-watching notify hooks which may be another avenue.

But first I was going for simple...is there was a way to accomplish this with chflags?

I tried this (OpenBSD 5.6):

Code:
# mkdir /tmp/example
# chmod 1777 /tmp/example
# chflags uappnd /tmp/example
However:

Code:
$ cd /tmp/example
$ cp /some/big/file.txt .
$ cp /dev/null ./file.txt
$ cp /some/other/big/file.txt file.txt
$
All of these cp(1) commands succeed. In other words, the file can be over-written which defeats what I'm trying to do.

And setting uchg on the directory appears to make the directory itself unchangeable, which means new files can't be created.
Reply With Quote
  #2   (View Single Post)  
Old 21st December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,596
Default

You could configure the backup system B to initiate the backup scp connection to system A.

Then you protect the backup system by only allowing outgoing backup connections with pf.

The sshd(8) gives an example of an authorized_keys file entry that limits an incoming SSH connection to only run a single command:

Code:
        command="dump /home",no-pty,no-port-forwarding ssh-dss
        AAAAC3...51R== example.net
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 21st December 2014
raindog308 raindog308 is offline
Fdisk Soldier
 
Join Date: Sep 2011
Posts: 66
Default

Interesting...one of the reasons I'm not wild about the backup server initiating backups is that then there is nice set of ssh keys with access to all the clients in one place. I hadn't thought of that method of limiting what one could do with those keys.

So in this example, I'd do something like this:

Code:
ssh -i /root/.ssh/some-key root@some.example.com 'dump -0f - /somedir' > /backups/clever-naming-scheme-0.dump
Or tar, etc.

Tested and it works. Nice. Thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
strange "~" directory in home directory gosha OpenBSD General 5 23rd February 2009 06:12 PM
FreeBSD console delete key graudeejs FreeBSD General 4 24th August 2008 01:37 PM
Cannot delete it.... graudeejs FreeBSD General 9 20th July 2008 12:45 PM
How to delete account? khdf Feedback and Suggestions 5 9th May 2008 09:05 PM


All times are GMT. The time now is 04:25 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick