There are many ways to make a server backup, but we will use rsync
(remote sync), bindfs
, and rssh
(restricted shell).
Install rssh:
apt list rssh
apt show rssh
apt install rssh
Create a user for backups that uses the restricted shell:
useradd apps_backup -m -s /usr/bin/rssh
ls -al /home/apps_backup/
grep apps_backup /etc/passwd
Edit /etc/rssh.conf
to allow rsync
and use a chroot jail for restricting access:
allowrsync
chrootpath = /home/apps_backup
Test that the shell of the user apps_backup
is restricted:
su apps_backup
Install bindfs
:
apt list bindfs
apt show bindfs
apt install bindfs
Create mount directories:
mkdir -p /home/apps_backup/opt-scripts
mkdir -p /home/apps_backup/var-ds
Add these lines to /etc/fstab
for mounting directories read-only:
/opt/docker-scripts /home/apps_backup/opt-scripts fuse.bindfs perms=0000:u=rD,force-user=apps_backup,force-group=nogroup 0 0
/var/ds /home/apps_backup/var-ds fuse.bindfs perms=0000:u=rD,force-user=apps_backup,force-group=nogroup 0 0
Mount them:
mount -a
ls -al /home/apps_backup/opt-scripts
ls -al /home/apps_backup/var-ds
Test that they are read-only:
sudo -u apps_backup ls -al /home/apps_backup/var-ds
sudo -u apps_backup touch /home/apps_backup/var-ds/test1.txt