From 755f2c62a03b73dd9583948476bd41314d15d6fb Mon Sep 17 00:00:00 2001 From: Janek Bevendorff Date: Wed, 15 Oct 2014 00:59:12 +0200 Subject: [PATCH] Add ro mount option to bind mounts as extra security measure --- README.md | 26 +++++++++++++------------- server/etc/fstab | 12 ++++++------ server/etc/fstab_synology | 14 +++++++------- server/etc/fstab_ubuntu | 12 ++++++------ 4 files changed, 32 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index cf91480..b48f113 100644 --- a/README.md +++ b/README.md @@ -50,12 +50,12 @@ The optional third parameter specifies the path to the SSH public key file which rs-backup-suite can chroot backup users into the backup home base directory. For this to work you need to create a few bind mounts. The install script already created the respective lines in your `/etc/fstab` for you. If you don't need any special configuration on your system, all you need to do is to uncomment everything between the `BEGIN` and `END` lines (do NOT change these two lines, though): # BEGIN: rs-backup-suite - #/bin /bkp/bin none bind 0 0 - #/lib /bkp/lib none bind 0 0 - #/dev /bkp/dev none bind 0 0 - #/usr/bin /bkp/usr/bin none bind 0 0 - #/usr/lib /bkp/usr/lib none bind 0 0 - #/usr/share/perl5 /bkp/usr/share/perl5 none bind 0 0 + #/bin /bkp/bin none bind,ro 0 0 + #/lib /bkp/lib none bind,ro 0 0 + #/dev /bkp/dev none bind,ro 0 0 + #/usr/bin /bkp/usr/bin none bind,ro 0 0 + #/usr/lib /bkp/usr/lib none bind,ro 0 0 + #/usr/share/perl5 /bkp/usr/share/perl5 none bind,ro 0 0 # END: rs-backup-suite The necessary mounts may differ from system to system. For instance, Ubuntu needs `/usr/share/perl` instead of `/usr/share/perl5`. Synology DSM doesn't need `/usr/share/*` at all, but requires `/opt/bin`, `/opt/lib` and `/opt/libexec`. But in most cases you don't need to worry about that since the install script tries to make the correct decisions for you. @@ -166,13 +166,13 @@ To run the server component on Synology DSM, you need to install the following p If you want to run your backups in a chroot environment please note that `/etc/fstab` will be reset to its defaults when rebooting the disk station. To avoid configuration loss, no mount directives are added to `/etc/fstab` by the install script. Instead the following entries are added to `/etc/rc` (which won't be overwritten upon reboot): # BEGIN: rs-backup-suite - #mount -o bind /bin /var/services/homes/bin - #mount -o bind /lib /var/services/homes/lib - #mount -o bind /dev /var/services/homes/dev - #mount -o bind /usr/bin /var/services/homes/usr/bin - #mount -o bind /opt/bin /var/services/homes/opt/bin - #mount -o bind /opt/lib /var/services/homes/opt/lib - #mount -o bind /opt/libexec /var/services/homes/opt/libexec + #mount -o bind,ro /bin /var/services/homes/bin + #mount -o bind,ro /lib /var/services/homes/lib + #mount -o bind,ro /dev /var/services/homes/dev + #mount -o bind,ro /usr/bin /var/services/homes/usr/bin + #mount -o bind,ro /opt/bin /var/services/homes/opt/bin + #mount -o bind,ro /opt/lib /var/services/homes/opt/lib + #mount -o bind,ro /opt/libexec /var/services/homes/opt/libexec # END: rs-backup-suite To enable the mounts, uncomment everything between the `BEGIN` and `END` block. Afterwards either run these commands by hand once or reboot. diff --git a/server/etc/fstab b/server/etc/fstab index 746af88..7987ba5 100644 --- a/server/etc/fstab +++ b/server/etc/fstab @@ -1,8 +1,8 @@ # BEGIN: rs-backup-suite -#/bin ::BACKUP_ROOT::/bin none bind 0 0 -#/lib ::BACKUP_ROOT::/lib none bind 0 0 -#/dev ::BACKUP_ROOT::/dev none bind 0 0 -#/usr/bin ::BACKUP_ROOT::/usr/bin none bind 0 0 -#/usr/lib ::BACKUP_ROOT::/usr/lib none bind 0 0 -#/usr/share/perl5 ::BACKUP_ROOT::/usr/share/perl5 none bind 0 0 +#/bin ::BACKUP_ROOT::/bin none bind,ro 0 0 +#/lib ::BACKUP_ROOT::/lib none bind,ro 0 0 +#/dev ::BACKUP_ROOT::/dev none bind,ro 0 0 +#/usr/bin ::BACKUP_ROOT::/usr/bin none bind,ro 0 0 +#/usr/lib ::BACKUP_ROOT::/usr/lib none bind,ro 0 0 +#/usr/share/perl5 ::BACKUP_ROOT::/usr/share/perl5 none bind,ro 0 0 # END: rs-backup-suite diff --git a/server/etc/fstab_synology b/server/etc/fstab_synology index fde6580..35469e1 100644 --- a/server/etc/fstab_synology +++ b/server/etc/fstab_synology @@ -1,9 +1,9 @@ # BEGIN: rs-backup-suite -#mount -o bind /bin ::BACKUP_ROOT::/bin -#mount -o bind /lib ::BACKUP_ROOT::/lib -#mount -o bind /dev ::BACKUP_ROOT::/dev -#mount -o bind /usr/bin ::BACKUP_ROOT::/usr/bin -#mount -o bind /opt/bin ::BACKUP_ROOT::/opt/bin -#mount -o bind /opt/lib ::BACKUP_ROOT::/opt/lib -#mount -o bind /opt/libexec ::BACKUP_ROOT::/opt/libexec +#mount -o bind,ro /bin ::BACKUP_ROOT::/bin +#mount -o bind,ro /lib ::BACKUP_ROOT::/lib +#mount -o bind,ro /dev ::BACKUP_ROOT::/dev +#mount -o bind,ro /usr/bin ::BACKUP_ROOT::/usr/bin +#mount -o bind,ro /opt/bin ::BACKUP_ROOT::/opt/bin +#mount -o bind,ro /opt/lib ::BACKUP_ROOT::/opt/lib +#mount -o bind,ro /opt/libexec ::BACKUP_ROOT::/opt/libexec # END: rs-backup-suite diff --git a/server/etc/fstab_ubuntu b/server/etc/fstab_ubuntu index 0c5213b..20eadeb 100644 --- a/server/etc/fstab_ubuntu +++ b/server/etc/fstab_ubuntu @@ -1,8 +1,8 @@ # BEGIN: rs-backup-suite -#/bin ::BACKUP_ROOT::/bin none bind 0 0 -#/lib ::BACKUP_ROOT::/lib none bind 0 0 -#/dev ::BACKUP_ROOT::/dev none bind 0 0 -#/usr/bin ::BACKUP_ROOT::/usr/bin none bind 0 0 -#/usr/lib ::BACKUP_ROOT::/usr/lib none bind 0 0 -#/usr/share/perl ::BACKUP_ROOT::/usr/share/perl none bind 0 0 +#/bin ::BACKUP_ROOT::/bin none bind,ro 0 0 +#/lib ::BACKUP_ROOT::/lib none bind,ro 0 0 +#/dev ::BACKUP_ROOT::/dev none bind,ro 0 0 +#/usr/bin ::BACKUP_ROOT::/usr/bin none bind,ro 0 0 +#/usr/lib ::BACKUP_ROOT::/usr/lib none bind,ro 0 0 +#/usr/share/perl ::BACKUP_ROOT::/usr/share/perl none bind,ro 0 0 # END: rs-backup-suite