Rsync security grab bag?
- aarbee
- Easy as a breeze
- Posts: 387
- Joined: Wed Feb 16, 2011 4:54 am
Rsync security grab bag?
I have a situation with a few Qnaps. Being from me, or from customers and tried to connect 2 with Rsync.
I have 3 Qnaps myself. 2 On location, 1 on a remote location for backup only.
My customer is having 3 different Qnaps as well.
My setup:
Mainbox: 673
Extra: 219Pii
Remote 239
Customer:
Mainbox 453
Extra 219Pii
Extra 219
If my customer connects with any of his Qnaps to my 673 he only sees the Share that I have prepared.
If I connect to my customers 219Pii from my mainbox, I see all his Shares and can even open them.
I have checked his settings, and they are equal to mine. I should not see all his shares.
The same with all his other Qnaps.
Now comes the strange part, None of his Qnaps see more than the prepared Share.
If I check with a special rsync user my mainbox, from my remote 239, I see all the shares.
I cannot understand why that is. To us this whole Linux security feels like a big grab box.
As the user I use here is exactly the same as my customer connects to my 673.
The only difference there is, is that the remote 239 is connected via a lan2lan vpn between 2 Draytek routers.
I think I miss some knowledge here.
Thanks ahead.
I have 3 Qnaps myself. 2 On location, 1 on a remote location for backup only.
My customer is having 3 different Qnaps as well.
My setup:
Mainbox: 673
Extra: 219Pii
Remote 239
Customer:
Mainbox 453
Extra 219Pii
Extra 219
If my customer connects with any of his Qnaps to my 673 he only sees the Share that I have prepared.
If I connect to my customers 219Pii from my mainbox, I see all his Shares and can even open them.
I have checked his settings, and they are equal to mine. I should not see all his shares.
The same with all his other Qnaps.
Now comes the strange part, None of his Qnaps see more than the prepared Share.
If I check with a special rsync user my mainbox, from my remote 239, I see all the shares.
I cannot understand why that is. To us this whole Linux security feels like a big grab box.
As the user I use here is exactly the same as my customer connects to my 673.
The only difference there is, is that the remote 239 is connected via a lan2lan vpn between 2 Draytek routers.
I think I miss some knowledge here.
Thanks ahead.
Friendly Greetings,
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
- aarbee
- Easy as a breeze
- Posts: 387
- Joined: Wed Feb 16, 2011 4:54 am
Re: Rsync security grab bag?
Nobody?
I see this as an issue, if you have an older device.
I see this as an issue, if you have an older device.
Friendly Greetings,
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
- aarbee
- Easy as a breeze
- Posts: 387
- Joined: Wed Feb 16, 2011 4:54 am
Re: Rsync security grab bag?
I had a Teamviewer session with Qnap Netherlands yesterday.
The issue is not solved.
Explanation 1: Because you login on the main nas with the admin user, it can read any other qnap where the user admin is being used.
In case of the 673 to 219 or 239 that might be true. But it does not work between 673 and 453b.
Explanation 2: SMB version. The 219 and 239 both run on SMB 1.0 and the 673 and 453 run on SMB 2.1 or can even run on 3.0.
I got the impression that Qnap did not really know what it caused and is purely guessing.
I really wonder what does have Rsync to do with SMB? I thought that SMB means Samba. Which is a connection between the linux world and the windows world.
Yet I am only syncing between 2 Qnaps (linux) devices.
Can somebody else put some light on this?
Thanks ahead,
RobB
The issue is not solved.
Explanation 1: Because you login on the main nas with the admin user, it can read any other qnap where the user admin is being used.
In case of the 673 to 219 or 239 that might be true. But it does not work between 673 and 453b.
Explanation 2: SMB version. The 219 and 239 both run on SMB 1.0 and the 673 and 453 run on SMB 2.1 or can even run on 3.0.
I got the impression that Qnap did not really know what it caused and is purely guessing.
I really wonder what does have Rsync to do with SMB? I thought that SMB means Samba. Which is a connection between the linux world and the windows world.
Yet I am only syncing between 2 Qnaps (linux) devices.
Can somebody else put some light on this?
Thanks ahead,
RobB
Friendly Greetings,
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
-
- Easy as a breeze
- Posts: 267
- Joined: Wed Jun 15, 2016 2:49 am
Re: Rsync security grab bag?
You write something about SMB and mix it up with rsync. It's all mixed up and you do not even provide the rsync command which you are using to connect to the share of another NAS. No user, no path (of course you may replace sensitive data) and I can just guess that the user has too much permissions and thus sees to much.
Also my SMB connections work as expected and one may have a Windows client handy to test this. Testing locally with smbmount should produce the same results. I did not follow all samba security bugs so there may be one which allows bypassing the security.
Also my SMB connections work as expected and one may have a Windows client handy to test this. Testing locally with smbmount should produce the same results. I did not follow all samba security bugs so there may be one which allows bypassing the security.
- aarbee
- Easy as a breeze
- Posts: 387
- Joined: Wed Feb 16, 2011 4:54 am
Re: Rsync security grab bag?
I use the sync option from Hybrid backup.
Qnap to qnap.
I use Rsync. Between a local TVS-673 and TS-219 local and remote.
I do not come up with SMB. Qnap did.
Qnap to qnap.
I use Rsync. Between a local TVS-673 and TS-219 local and remote.
I do not come up with SMB. Qnap did.
Friendly Greetings,
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
-
- Easy as a breeze
- Posts: 267
- Joined: Wed Jun 15, 2016 2:49 am
Re: Rsync security grab bag?
I never used Hybrid backup for rsync backups. Looking up the documentation it seems you are using the admin user - I found no option to select a user. And the admin should have access to all folders.
- aarbee
- Easy as a breeze
- Posts: 387
- Joined: Wed Feb 16, 2011 4:54 am
Re: Rsync security grab bag?
I connect to the other system with a specific user, which I have shared with a co worker. And that gave me the impression that it is accessing it with that userid. Not with the admin. I might be completely mistaken.
Friendly Greetings,
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
-
- Easy as a breeze
- Posts: 267
- Joined: Wed Jun 15, 2016 2:49 am
Re: Rsync security grab bag?
Link to the official tutorial: https://www.qnap.com/en/how-to/tutorial ... -qnap-nas/
There I see that one can add a remote QNAP (Add Remote Connection image) but one cannot specify a user. As long as you own both QNAPs involved this is ok.
There I see that one can add a remote QNAP (Add Remote Connection image) but one cannot specify a user. As long as you own both QNAPs involved this is ok.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: Rsync security grab bag?
They use the RTRR protocol in that tutorial so different from Rsync.iam@nas wrote: ↑Wed Feb 27, 2019 12:44 pm Link to the official tutorial: https://www.qnap.com/en/how-to/tutorial ... -qnap-nas/
There I see that one can add a remote QNAP (Add Remote Connection image) but one cannot specify a user.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: Rsync security grab bag?
As far as I know the user and password used to authenticate to the Rsync server isn't the same as a Qnap user even if they happen to share credentials.
Why do you use Rsync and not RTRR?
What speed is the connection between the site?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
- aarbee
- Easy as a breeze
- Posts: 387
- Joined: Wed Feb 16, 2011 4:54 am
Re: Rsync security grab bag?
I have my main nas (673) and 2 backup nasses (219+239) and backup between them via RTRR.
That proces runs under the admin user.
I do not want to share the admin account with my coworker.
Neither did I find the option to use a second RTRR user. Therefore do I use Rsync, for the incidental screenshot exchanges from citiesXL.
That proces runs under the admin user.
I do not want to share the admin account with my coworker.
Neither did I find the option to use a second RTRR user. Therefore do I use Rsync, for the incidental screenshot exchanges from citiesXL.
Friendly Greetings,
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
- aarbee
- Easy as a breeze
- Posts: 387
- Joined: Wed Feb 16, 2011 4:54 am
Re: Rsync security grab bag?
Can RTRR receive and send with 2 or more different users?
Say:
User1 receives from Qnap 2
User2 receives from Qnap nr 4?
And
User 1 sends to Qnap 2 & 3
User 1 sends to Qnap 4
Can Rsync?
Say:
User1 receives from Qnap 2
User2 receives from Qnap nr 4?
And
User 1 sends to Qnap 2 & 3
User 1 sends to Qnap 4
Can Rsync?
Friendly Greetings,
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
-
- Easy as a breeze
- Posts: 267
- Joined: Wed Jun 15, 2016 2:49 am
Re: Rsync security grab bag?
As long as you use the Hybrid Backup you need to create a remote storage ( https://www.qnap.com/en/how-to/tutorial ... nap-nas/#b ). You may use it for RTRR or for scheduled backups.
As long as you can not select a user here 'admin' will be used. This makes sense for backups as a backup with all file permissions is only possible this way unless the permissions are stored elsewhere.
As long as you can not select a user here 'admin' will be used. This makes sense for backups as a backup with all file permissions is only possible this way unless the permissions are stored elsewhere.
- aarbee
- Easy as a breeze
- Posts: 387
- Joined: Wed Feb 16, 2011 4:54 am
Re: Rsync security grab bag?
Problem is, that I do not mind that my colocation is using my admin account (as it is me-myself and I), but I do not want my coworker to use that same admin account.
Neither does he not want to know his admin account.
I will try to read that document. Thank you for the link
Neither does he not want to know his admin account.
I will try to read that document. Thank you for the link
Friendly Greetings,
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
RobB
Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"
BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: Rsync security grab bag?
Not in any way I know.
As I said, the username/password used in the Rsync server authentication is independent from the Qnap user database in the same system so you need to stop to think about the rsync authentication being the same as the Qnap users.Say:
User1 receives from Qnap 2
User2 receives from Qnap nr 4?
And
User 1 sends to Qnap 2 & 3
User 1 sends to Qnap 4
Can Rsync?
An example of Qnap X:
User DB have users: admin, User1, User2
Rsync server have for authentication: User8
The above work despite User8 not being a Qnap user. The Rsync server access files as admin.
An example of Qnap Y:
User DB have users: admin, User1, User2
Rsync server have for authentication: User1
The above also work but please note that rsync User1 still isn't the same as Qnap User1. The Rsync server access files as admin, not User1!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!