Remember the Users
RSS imageAbout About Me

The ongoing challenge of using free/libre software.

Protecting Backup Files

A problem that bothered me for a long time is protecting my local backup files. More than once I opened a file from my local backups and mistakenly edited that file rather than the original file that I was comparing.

I have a multi-layered backup strategy. I use rsnapshot for the first layer, which I call my “fat fingers” protection layer or my local backups. This first layer of backups is to protect me from myself.

The rsnapshot backups are scheduled every hour to backup system and user files. The backups are stored on a second internal hard drive. The process has worked well for me for many years. Yet I still make that occasional error of editing the incorrect file.

I never caused any damage by this occasional error. Yet the nominal sys admin in me knows that those backups should be read-only.

The problem has bugged me more since I started helping other people with Linux systems because I install a similar layer of backup protection for those people. As these folks are non technical, I want to protect those backups from user ignorance.

The challenge is ensuring the original user permissions are preserved so users can restore files.

After some lengthy searching I decided there were two approaches. One is to use NFS and localhost. That method is not recommended by a handful of people for security reasons. I never found a reason to explain the security concern.

The other method is to use mount bind. That is the method I chose.

I use two hard drives in my main office system. That system also acts as a networked file server. While I have been wanting to move those services to a dedicated file server because I continue to add devices in my home network, my existing setup has done well for many years and continues to do so.

That second hard drive is where I store my first layer of backups. Part of my fstab looks like this:

    # # # Storage partition for common data files, software builds, local repo directories, VM images # # #
    /dev/sdb1 /home/public ext4 defaults,noatime,acl 0 2

    # # # Storage partition for backups and archived files # # #
    /dev/sdb2 /home/public/archives ext4 defaults,noatime 0 2

My rsnapshot backups are stored in /home/public/archives/Backups.

The final solution proved straightforward.

    mkdir /home/public/archives/backups
    mv /home/public/archives/Backups /home/public/archives/backups/
    mkdir /home/public/archives/Backups
    chmod 700 /home/public/archives/backups
    chmod 755 /home/public/archives/backups/Backups

Update /etc/fstab:

    # # # Ensure rsnapshot backups are read-only to non-root users # # #
    /home/public/archives/backups/Backups /home/public/archives/Backups none bind 0 0
    /home/public/archives/backups/Backups /home/public/archives/Backups none remount,bind,ro 0 0

Update /etc/rsnapshot.conf:

    snapshot_root /home/public/archives/backups/Backups

Update /etc/exports:

    /home/public/archives/Backups 192.168.1.1/24(ro,no_root_squash,async,anonuid=99,anongid=99,subtree_check,no_wdelay)

Non-root users cannot peek into /home/public/archives/backups to gain access. Everything under the new /home/public/archives/backups is not viewable by non-root users. The bind mount commands render the original directory path as read-only.

I wish I had done this years ago.

From a usability perspective, all that non technical users need after I install this backup system is a file manager with a respective bookmark.

Posted: December 2, 2015 Category: Tutorial, Usability Tagged: General

Next: Distro Reviews

Previous: Meld Deleting MRU Files

No cookies, no JavaScript, no Flash, no ads, no tracking. Just a blog.

Remember the Users
RSS imageAbout About Me