Rsync security grab bag?

Discussion on remote replication.
User avatar
aarbee
Easy as a breeze
Posts: 341
Joined: Wed Feb 16, 2011 4:54 am

Rsync security grab bag?

Post by aarbee » Sat Jan 12, 2019 2:03 am

I have a situation with a few Qnaps. Being from me, or from customers and tried to connect 2 with Rsync.
I have 3 Qnaps myself. 2 On location, 1 on a remote location for backup only.
My customer is having 3 different Qnaps as well.

My setup:
Mainbox: 673
Extra: 219Pii
Remote 239

Customer:
Mainbox 453
Extra 219Pii
Extra 219

If my customer connects with any of his Qnaps to my 673 he only sees the Share that I have prepared.

If I connect to my customers 219Pii from my mainbox, I see all his Shares and can even open them.
I have checked his settings, and they are equal to mine. I should not see all his shares.
The same with all his other Qnaps.

Now comes the strange part, None of his Qnaps see more than the prepared Share.
If I check with a special rsync user my mainbox, from my remote 239, I see all the shares.
I cannot understand why that is. To us this whole Linux security feels like a big grab box.
As the user I use here is exactly the same as my customer connects to my 673.
The only difference there is, is that the remote 239 is connected via a lan2lan vpn between 2 Draytek routers.

I think I miss some knowledge here.
Thanks ahead.
Friendly Greetings,

RobB

Model: TvS-673 40GB (2*32+2*4) - 20170215
Disks Raid 6: 2.5" 4x WD red 1TB active, 2 spare(nasware2/Nasware3)
Cache: Cache SSD: Crucial M.2 275GB 2x
UPS: Back-UPS Pro BR900G-GR
---
Model: TS-239 PRO II - Raid 1: 2x WD Red 4TB
Model: TS-219P II+ - Raid 1: 2x HGST Deskstar-nas 3TB

Reserve 1x HGST Deskstar-nas 4TB
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
My it weblog ( http://www.nononsensecomputer.nl

User avatar
aarbee
Easy as a breeze
Posts: 341
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee » Thu Jan 24, 2019 1:55 am

Nobody?
I see this as an issue, if you have an older device.
Friendly Greetings,

RobB

Model: TvS-673 40GB (2*32+2*4) - 20170215
Disks Raid 6: 2.5" 4x WD red 1TB active, 2 spare(nasware2/Nasware3)
Cache: Cache SSD: Crucial M.2 275GB 2x
UPS: Back-UPS Pro BR900G-GR
---
Model: TS-239 PRO II - Raid 1: 2x WD Red 4TB
Model: TS-219P II+ - Raid 1: 2x HGST Deskstar-nas 3TB

Reserve 1x HGST Deskstar-nas 4TB
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
My it weblog ( http://www.nononsensecomputer.nl

User avatar
aarbee
Easy as a breeze
Posts: 341
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee » Wed Feb 27, 2019 1:25 am

I had a Teamviewer session with Qnap Netherlands yesterday.
The issue is not solved.

Explanation 1: Because you login on the main nas with the admin user, it can read any other qnap where the user admin is being used.
In case of the 673 to 219 or 239 that might be true. But it does not work between 673 and 453b.
Explanation 2: SMB version. The 219 and 239 both run on SMB 1.0 and the 673 and 453 run on SMB 2.1 or can even run on 3.0.

I got the impression that Qnap did not really know what it caused and is purely guessing.
I really wonder what does have Rsync to do with SMB? I thought that SMB means Samba. Which is a connection between the linux world and the windows world.
Yet I am only syncing between 2 Qnaps (linux) devices.

Can somebody else put some light on this?
Thanks ahead,

RobB
Friendly Greetings,

RobB

Model: TvS-673 40GB (2*32+2*4) - 20170215
Disks Raid 6: 2.5" 4x WD red 1TB active, 2 spare(nasware2/Nasware3)
Cache: Cache SSD: Crucial M.2 275GB 2x
UPS: Back-UPS Pro BR900G-GR
---
Model: TS-239 PRO II - Raid 1: 2x WD Red 4TB
Model: TS-219P II+ - Raid 1: 2x HGST Deskstar-nas 3TB

Reserve 1x HGST Deskstar-nas 4TB
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
My it weblog ( http://www.nononsensecomputer.nl

iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas » Wed Feb 27, 2019 2:04 am

You write something about SMB and mix it up with rsync. It's all mixed up and you do not even provide the rsync command which you are using to connect to the share of another NAS. No user, no path (of course you may replace sensitive data) and I can just guess that the user has too much permissions and thus sees to much.

Also my SMB connections work as expected and one may have a Windows client handy to test this. Testing locally with smbmount should produce the same results. I did not follow all samba security bugs so there may be one which allows bypassing the security.

User avatar
aarbee
Easy as a breeze
Posts: 341
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee » Wed Feb 27, 2019 2:08 am

I use the sync option from Hybrid backup.
Qnap to qnap.
I use Rsync. Between a local TVS-673 and TS-219 local and remote.

I do not come up with SMB. Qnap did. ;-)
Friendly Greetings,

RobB

Model: TvS-673 40GB (2*32+2*4) - 20170215
Disks Raid 6: 2.5" 4x WD red 1TB active, 2 spare(nasware2/Nasware3)
Cache: Cache SSD: Crucial M.2 275GB 2x
UPS: Back-UPS Pro BR900G-GR
---
Model: TS-239 PRO II - Raid 1: 2x WD Red 4TB
Model: TS-219P II+ - Raid 1: 2x HGST Deskstar-nas 3TB

Reserve 1x HGST Deskstar-nas 4TB
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
My it weblog ( http://www.nononsensecomputer.nl

iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas » Wed Feb 27, 2019 2:25 am

I never used Hybrid backup for rsync backups. Looking up the documentation it seems you are using the admin user - I found no option to select a user. And the admin should have access to all folders.

User avatar
aarbee
Easy as a breeze
Posts: 341
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee » Wed Feb 27, 2019 4:25 am

I connect to the other system with a specific user, which I have shared with a co worker. And that gave me the impression that it is accessing it with that userid. Not with the admin. I might be completely mistaken.
Friendly Greetings,

RobB

Model: TvS-673 40GB (2*32+2*4) - 20170215
Disks Raid 6: 2.5" 4x WD red 1TB active, 2 spare(nasware2/Nasware3)
Cache: Cache SSD: Crucial M.2 275GB 2x
UPS: Back-UPS Pro BR900G-GR
---
Model: TS-239 PRO II - Raid 1: 2x WD Red 4TB
Model: TS-219P II+ - Raid 1: 2x HGST Deskstar-nas 3TB

Reserve 1x HGST Deskstar-nas 4TB
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
My it weblog ( http://www.nononsensecomputer.nl

iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas » Wed Feb 27, 2019 12:44 pm

Link to the official tutorial: https://www.qnap.com/en/how-to/tutorial ... -qnap-nas/
There I see that one can add a remote QNAP (Add Remote Connection image) but one cannot specify a user. As long as you own both QNAPs involved this is ok.

P3R
Guru
Posts: 10755
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R » Wed Feb 27, 2019 4:25 pm

iam@nas wrote:
Wed Feb 27, 2019 12:44 pm
Link to the official tutorial: https://www.qnap.com/en/how-to/tutorial ... -qnap-nas/
There I see that one can add a remote QNAP (Add Remote Connection image) but one cannot specify a user.
They use the RTRR protocol in that tutorial so different from Rsync.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

P3R
Guru
Posts: 10755
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R » Wed Feb 27, 2019 4:33 pm

aarbee wrote:
Wed Feb 27, 2019 4:25 am
I connect to the other system with a specific user, which I have shared with a co worker. And that gave me the impression that it is accessing it with that userid. Not with the admin. I might be completely mistaken.
As far as I know the user and password used to authenticate to the Rsync server isn't the same as a Qnap user even if they happen to share credentials.

Why do you use Rsync and not RTRR?
What speed is the connection between the site?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

User avatar
aarbee
Easy as a breeze
Posts: 341
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee » Wed Feb 27, 2019 5:25 pm

I have my main nas (673) and 2 backup nasses (219+239) and backup between them via RTRR.
That proces runs under the admin user.

I do not want to share the admin account with my coworker.
Neither did I find the option to use a second RTRR user. Therefore do I use Rsync, for the incidental screenshot exchanges from citiesXL.
Friendly Greetings,

RobB

Model: TvS-673 40GB (2*32+2*4) - 20170215
Disks Raid 6: 2.5" 4x WD red 1TB active, 2 spare(nasware2/Nasware3)
Cache: Cache SSD: Crucial M.2 275GB 2x
UPS: Back-UPS Pro BR900G-GR
---
Model: TS-239 PRO II - Raid 1: 2x WD Red 4TB
Model: TS-219P II+ - Raid 1: 2x HGST Deskstar-nas 3TB

Reserve 1x HGST Deskstar-nas 4TB
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
My it weblog ( http://www.nononsensecomputer.nl

User avatar
aarbee
Easy as a breeze
Posts: 341
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee » Thu Feb 28, 2019 12:28 am

Can RTRR receive and send with 2 or more different users?

Say:
User1 receives from Qnap 2
User2 receives from Qnap nr 4?

And
User 1 sends to Qnap 2 & 3
User 1 sends to Qnap 4


Can Rsync?
Friendly Greetings,

RobB

Model: TvS-673 40GB (2*32+2*4) - 20170215
Disks Raid 6: 2.5" 4x WD red 1TB active, 2 spare(nasware2/Nasware3)
Cache: Cache SSD: Crucial M.2 275GB 2x
UPS: Back-UPS Pro BR900G-GR
---
Model: TS-239 PRO II - Raid 1: 2x WD Red 4TB
Model: TS-219P II+ - Raid 1: 2x HGST Deskstar-nas 3TB

Reserve 1x HGST Deskstar-nas 4TB
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
My it weblog ( http://www.nononsensecomputer.nl

iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas » Thu Feb 28, 2019 12:34 am

As long as you use the Hybrid Backup you need to create a remote storage ( https://www.qnap.com/en/how-to/tutorial ... nap-nas/#b ). You may use it for RTRR or for scheduled backups.
As long as you can not select a user here 'admin' will be used. This makes sense for backups as a backup with all file permissions is only possible this way unless the permissions are stored elsewhere.

User avatar
aarbee
Easy as a breeze
Posts: 341
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee » Thu Feb 28, 2019 12:39 am

Problem is, that I do not mind that my colocation is using my admin account (as it is me-myself and I), but I do not want my coworker to use that same admin account.
Neither does he not want to know his admin account.

I will try to read that document. Thank you for the link
Friendly Greetings,

RobB

Model: TvS-673 40GB (2*32+2*4) - 20170215
Disks Raid 6: 2.5" 4x WD red 1TB active, 2 spare(nasware2/Nasware3)
Cache: Cache SSD: Crucial M.2 275GB 2x
UPS: Back-UPS Pro BR900G-GR
---
Model: TS-239 PRO II - Raid 1: 2x WD Red 4TB
Model: TS-219P II+ - Raid 1: 2x HGST Deskstar-nas 3TB

Reserve 1x HGST Deskstar-nas 4TB
-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
My it weblog ( http://www.nononsensecomputer.nl

P3R
Guru
Posts: 10755
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R » Thu Feb 28, 2019 2:03 am

aarbee wrote:
Thu Feb 28, 2019 12:28 am
Can RTRR receive and send with 2 or more different users?
Not in any way I know.
Say:
User1 receives from Qnap 2
User2 receives from Qnap nr 4?

And
User 1 sends to Qnap 2 & 3
User 1 sends to Qnap 4


Can Rsync?
As I said, the username/password used in the Rsync server authentication is independent from the Qnap user database in the same system so you need to stop to think about the rsync authentication being the same as the Qnap users.

An example of Qnap X:
User DB have users: admin, User1, User2
Rsync server have for authentication: User8

The above work despite User8 not being a Qnap user. The Rsync server access files as admin.

An example of Qnap Y:
User DB have users: admin, User1, User2
Rsync server have for authentication: User1

The above also work but please note that rsync User1 still isn't the same as Qnap User1. The Rsync server access files as admin, not User1!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

Post Reply

Return to “Remote Replication/ Disaster Recovery”