Rsync security grab bag?

Discussion on remote replication.
iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas »

@"The Rsync server access files as admin, not User1!"
One may get the impression that the rsync daemon allows connected non-root users to write to '/'.

@"the Rsync server authentication is independent from the Qnap user database"
Now I wonder which user database rsync is using if it's not the Linux / QTS one and where one can configure it and whether PAM is available.
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R »

iam@nas wrote: Thu Feb 28, 2019 3:25 am @"The Rsync server access files as admin, not User1!"
One may get the impression that the rsync daemon allows connected non-root users to write to '/'.
No it allows another system that know the authentication (that isn't a Qnap user) to the Rsync server to synchronize it's data with the destination system that the Rsync server run on. It's the Rsync daemon that write to disk as the user it operates under (admin). Qnap Hybrid Backup Sync and the predecessor Backup Station destinations are limited to access shared folders, so can't send data to '/'.
Now I wonder which user database rsync is using if it's not the Linux / QTS one and where one can configure it and whether PAM is available.
No user database at all, it's only two phrases in the Rsync server configuration that happen to be called username and password but they could as well have been called Passphrase1 and Passphrase2.
Rsyncuser.jpg

I repeat: "...you need to stop to think about the rsync authentication being the same as the Qnap users".
You do not have the required permissions to view the files attached to this post.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Rsync security grab bag?

Post by iam@nas »

Using ssh+rsync from the command line I didn't know about this setup page. At least for the ssh connection the Linux users are used.
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R »

Command line Rsync may be different, this thread and I have only discussed the use of Rsync in the Qnap backup applications Hybrid Backup Sync and Backup Station.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
aarbee
Easy as a breeze
Posts: 387
Joined: Wed Feb 16, 2011 4:54 am

Re: Rsync security grab bag?

Post by aarbee »

I am very happy about the explanations, for which I say thank you vervy much.
But we are drifting of a littlebit, I think.

The reason for this thread is:
The 673 can see the whole directory structur/Shares on the 219 and 239.
The 673 can only see within the specific directory of the 453b, in which it should look/see.

Does that have something todo with:
a) SMB version
b) QTS version. (673= 4.3.5, 219=4.33, 239=4.2.6)
Friendly Greetings,

RobB

Main NAS:
Model: TS-253D - 20200725
Boot:- Raid 1: 2x 1 TB m.2 WD Red
Disks - 6TB WD Red, 350GB WD blue 2.5"

BACKUP NAS (On 2 hours a day due to Electricity costs)
Model: TvS-673 40GB (2*32+2*4) - 20170215
Boot:-Raid 1: 2x Crucial M.2 275GB 2x
Disks Raid 1:-3.5" 2x Toshiba 10 TB
UPS: Back-UPS Pro BR900G-GR
---

-----------------------------------------------------------------------------------------------------------------------------------------
Media Boxe: Nvidia ShieldTV Pro
-----------------------------------------------------------------------------------------------------------------------------------------
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Rsync security grab bag?

Post by P3R »

aarbee wrote: Thu Feb 28, 2019 7:55 am Does that have something todo with:
a) SMB version
I don't see how it could as you're using a different protocol.
b) QTS version. (673= 4.3.5, 219=4.33, 239=4.2.6)
Possible, I don't know. And if it is, it most likely will never be solved as the 2-bays won't receive any later QTS-versions.

But now I come to think of that using CIFS/SMB as transport protocol in Hybrid Backup Sync could probably be a solution for you assuming that you have a secure connection (VPN?) between the sites. That way you could actually be using a non-admin Qnap user defined on the other system, which would give exactly the rights that user have. The easiest to manage would be that both of you create a shared folder used only for this data exchange and a normal user with rights only in that shared folder to be used by the other.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Post Reply

Return to “Remote Replication/ Disaster Recovery”