Rsync security grab bag?

Discussion on remote replication.
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Rsync security grab bag?

Post by aarbee »

I have a situation with a few Qnaps. Being from me, or from customers and tried to connect 2 with Rsync.
I have 3 Qnaps myself. 2 On location, 1 on a remote location for backup only.
My customer is having 3 different Qnaps as well.

My setup:
Mainbox: 673
Extra: 219Pii
Remote 239

Customer:
Mainbox 453
Extra 219Pii
Extra 219

If my customer connects with any of his Qnaps to my 673 he only sees the Share that I have prepared.

If I connect to my customers 219Pii from my mainbox, I see all his Shares and can even open them.
I have checked his settings, and they are equal to mine. I should not see all his shares.
The same with all his other Qnaps.

Now comes the strange part, None of his Qnaps see more than the prepared Share.
If I check with a special rsync user my mainbox, from my remote 239, I see all the shares.
I cannot understand why that is. To us this whole Linux security feels like a big grab box.
As the user I use here is exactly the same as my customer connects to my 673.
The only difference there is, is that the remote 239 is connected via a lan2lan vpn between 2 Draytek routers.

I think I miss some knowledge here.
Thanks ahead.
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee »

Nobody?
I see this as an issue, if you have an older device.
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee »

I had a Teamviewer session with Qnap Netherlands yesterday.
The issue is not solved.

Explanation 1: Because you login on the main nas with the admin user, it can read any other qnap where the user admin is being used.
In case of the 673 to 219 or 239 that might be true. But it does not work between 673 and 453b.
Explanation 2: SMB version. The 219 and 239 both run on SMB 1.0 and the 673 and 453 run on SMB 2.1 or can even run on 3.0.

I got the impression that Qnap did not really know what it caused and is purely guessing.
I really wonder what does have Rsync to do with SMB? I thought that SMB means Samba. Which is a connection between the linux world and the windows world.
Yet I am only syncing between 2 Qnaps (linux) devices.

Can somebody else put some light on this?
Thanks ahead,

RobB
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas »

You write something about SMB and mix it up with rsync. It's all mixed up and you do not even provide the rsync command which you are using to connect to the share of another NAS. No user, no path (of course you may replace sensitive data) and I can just guess that the user has too much permissions and thus sees to much.

Also my SMB connections work as expected and one may have a Windows client handy to test this. Testing locally with smbmount should produce the same results. I did not follow all samba security bugs so there may be one which allows bypassing the security.
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee »

I use the sync option from Hybrid backup.
Qnap to qnap.
I use Rsync. Between a local TVS-673 and TS-219 local and remote.

I do not come up with SMB. Qnap did. ;-)
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas »

I never used Hybrid backup for rsync backups. Looking up the documentation it seems you are using the admin user - I found no option to select a user. And the admin should have access to all folders.
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee »

I connect to the other system with a specific user, which I have shared with a co worker. And that gave me the impression that it is accessing it with that userid. Not with the admin. I might be completely mistaken.
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas »

Link to the official tutorial: https://www.qnap.com/en/how-to/tutorial ... -qnap-nas/
There I see that one can add a remote QNAP (Add Remote Connection image) but one cannot specify a user. As long as you own both QNAPs involved this is ok.
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R »

iam@nas wrote: Wed Feb 27, 2019 12:44 pm Link to the official tutorial: https://www.qnap.com/en/how-to/tutorial ... -qnap-nas/
There I see that one can add a remote QNAP (Add Remote Connection image) but one cannot specify a user.
They use the RTRR protocol in that tutorial so different from Rsync.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R »

aarbee wrote: Wed Feb 27, 2019 4:25 am I connect to the other system with a specific user, which I have shared with a co worker. And that gave me the impression that it is accessing it with that userid. Not with the admin. I might be completely mistaken.
As far as I know the user and password used to authenticate to the Rsync server isn't the same as a Qnap user even if they happen to share credentials.

Why do you use Rsync and not RTRR?
What speed is the connection between the site?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee »

I have my main nas (673) and 2 backup nasses (219+239) and backup between them via RTRR.
That proces runs under the admin user.

I do not want to share the admin account with my coworker.
Neither did I find the option to use a second RTRR user. Therefore do I use Rsync, for the incidental screenshot exchanges from citiesXL.
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee »

Can RTRR receive and send with 2 or more different users?

Say:
User1 receives from Qnap 2
User2 receives from Qnap nr 4?

And
User 1 sends to Qnap 2 & 3
User 1 sends to Qnap 4


Can Rsync?
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas »

As long as you use the Hybrid Backup you need to create a remote storage ( https://www.qnap.com/en/how-to/tutorial ... nap-nas/#b ). You may use it for RTRR or for scheduled backups.
As long as you can not select a user here 'admin' will be used. This makes sense for backups as a backup with all file permissions is only possible this way unless the permissions are stored elsewhere.
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee »

Problem is, that I do not mind that my colocation is using my admin account (as it is me-myself and I), but I do not want my coworker to use that same admin account.
Neither does he not want to know his admin account.

I will try to read that document. Thank you for the link
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R »

aarbee wrote: Thu Feb 28, 2019 12:28 am Can RTRR receive and send with 2 or more different users?
Not in any way I know.
Say:
User1 receives from Qnap 2
User2 receives from Qnap nr 4?

And
User 1 sends to Qnap 2 & 3
User 1 sends to Qnap 4


Can Rsync?
As I said, the username/password used in the Rsync server authentication is independent from the Qnap user database in the same system so you need to stop to think about the rsync authentication being the same as the Qnap users.

An example of Qnap X:
User DB have users: admin, User1, User2
Rsync server have for authentication: User8

The above work despite User8 not being a Qnap user. The Rsync server access files as admin.

An example of Qnap Y:
User DB have users: admin, User1, User2
Rsync server have for authentication: User1

The above also work but please note that rsync User1 still isn't the same as Qnap User1. The Rsync server access files as admin, not User1!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Post Reply

Return to “Remote Replication/ Disaster Recovery”