The Bareos filedaemon (client) runs per default with administrator/root privileges in order to be able to backup all files. The Filedaemon also is able to execute scripts before and after the backups and restores. In order to perform restores, the filedaemon has the ability to overwrite all files on the client machine. While all of this is required for normal backup and restore operation, certain environments might have higher security requirements.
Bareos offers the following options are available to enhance the security and limit the power of the filedaemon:
- Limit the directories from where the filedaemon executes scripts. This can be achieved with the configuration directive
Allowed Script Dir - Limit the Job Commands that the filedaemon accepts. The
Allowed Job Commanddirective determines which of the existing job commands (backup,restore,verify,estimateandrunscript) are allowed. By prohibiting therestorecommand, the filedaemon will not allow to do restores. Without therunscriptcommand, no runscripts will be executed. - run the filedaemon as non-root user with the capabilities
CAP_DAC_READ_SEARCH. This uses the Linux capabilities mechanism to run as normal user but have the the right to read all files. Writing files will not be possible in this setup.
These security measures can prevent an attacker that gained control over the bareos director to alter the files of the machines being backed up.
However, when a restore is required, the filedaemon on the client needs to be reconfigured to allow restores and/or runscripts. Alternatively, a second bareos filedaemon can be started that has a configuration that allows restores.
Usually the amount of restores is much smaller than the backups, so these measures still can enhance the security with relatively little effort and inconvenience.