Restricting JetBackup's SSH user to bare minimum

cPanel, Industry leading hosting platform with world-class support.
Post Reply
Morais
Posts: 6
Joined: July 15th, 2021, 11:40 pm

Restricting JetBackup's SSH user to bare minimum

Post by Morais »

Hy!

We currently have a bunch of servers using the Destination Type "SSH", everything is running fine. However, even though each one of our server's have their own respective user in the backup server, I don't like the fact that all of them have shell access against the backup server.

I am thinking of using ".bashrc" file or rbash to limit these users' ability to run any binaries other than a small subset that are critical for JetBackup to do its job. These users have no business in the backup server other than serving JetBackup.

What are the binaries necessary for JetBackup as SSH Destination Type to run properly?

Thanks!
JetAppsRichard
Staff Member
Staff Member
Posts: 97
Joined: January 1st, 2021, 12:51 am

Re: Restricting JetBackup's SSH user to bare minimum

Post by JetAppsRichard »

Hello Morais,

Thank you for reaching out through our forums. We understand that security is of the utmost importance when performing backups over SSH. Although we do not have an exhaustive list of binaries required for JetBackup, please ensure that the jetbackup user you assign has the ability to execute common linux commands like the following:

Code: Select all

mkdir
ls
stat
rm
rsync
df
I hope you find this information helpful. Please let us know if you have any further questions.
Best Regards,
Richard, JetApps Team
Morais
Posts: 6
Joined: July 15th, 2021, 11:40 pm

Re: Restricting JetBackup's SSH user to bare minimum

Post by Morais »

Hy, Richard! Thanks for your input and sorry for the delay.

I restricted one of our server's JetBackup's user in the backup server (CentOS 8) to this subset of binaries you mentioned and it sort of worked. That is, the test account was backed up correctly (the files are all there) but JetBackup e-mail report threw an odd error: "suportehdwcom...FAILED - release snapshot folder". I've never seen that message before and doesn't appear to be documented.

The task log suggests it ran well (connection, "df", "rsync" and "ls" exited 0), then the very first non-zero exit code entry shows up and looks like this:

Code: Select all

[17 July 2021 03:55:03 PM -0300] 	Destination Disk Space Usage is 83.91% (6.3 TB out of 7.5 TB)
[17 July 2021 03:55:03 PM -0300] [DEBUG] Executing "ssh -p 3022 [SERVER_HOSTNAME]@[BKP_SERVER_IP] -o ControlPath="/usr/local/jetapps/etc/.ssh/sockets/ssh_5f0fb79d6a7ada8352631cf2_kJRPXkLUGZUqqITn" -x ls -dl './jetbackup_1_1_60f3274a27f7d2224c7a7292'"
[17 July 2021 03:55:03 PM -0300] [DEBUG] 
	Time: 0.045406103134155
	Exit code: 2, 
	Output: Array
(
)

[17 July 2021 03:55:03 PM -0300] [DEBUG] ls: cannot access './jetbackup_1_1_60f3274a27f7d2224c7a7292': No such file or directory

[17 July 2021 03:55:03 PM -0300] [DEBUG] #0 /usr/local/jetapps/var/lib/JetBackup/Core/Destination/SSH.inc(374): JetBackup\Core\Destination\aDestination->_exec('ssh -p 3022 nuv...', Array, 'ls: cannot acce...')
#1 /usr/local/jetapps/var/lib/JetBackup/Core/Destination/Local.inc(201): JetBackup\Core\Destination\SSH->_exec('ssh -p 3022 nuv...', Array)
#2 /usr/local/jetapps/var/lib/JetBackup/Core/Destination/Local.inc(215): JetBackup\Core\Destination\Local->getFileType('jetbackup_1_1_6...')
#3 /usr/local/jetapps/var/lib/JetBackup/Core/Destination/Local.inc(279): JetBackup\Core\Destination\Local->dirExists('jetbackup_1_1_6...')
#4 /usr/local/jetapps/var/lib/JetBackup/Cpanel/Backup.inc(816): JetBackup\Core\Destination\Local->mkDir('jetbackup_1_1_6...')
#5 /usr/local/jetapps/var/lib/JetBackup/Cpanel/Backup.inc(841): JetBackup\Cpanel\Backup->_prepareDestination()
#6 /usr/local/jetapps/var/lib/JetBackup/Cpanel/Controllers/ScheduledController.inc(240): JetBackup\Cpanel\Backup->execute()
#7 /usr/local/jetapps/var/lib/JetBackup/Cpanel/Controllers/BackupController.inc(58): JetBackup\Cpanel\Controllers\ScheduledController->execute()
#8 /usr/local/jetapps/var/lib/JetBackup/Cpanel/Controllers/BackupController.inc(94): JetBackup\Cpanel\Controllers\BackupController->_executeParent()
#9 /usr/local/jetapps/var/lib/JetBackup/Cpanel/Cli.inc(318): JetBackup\Cpanel\Controllers\BackupController->execute()
#10 /usr/local/jetapps/var/lib/JetBackup/Cpanel/Cli.inc(84): JetBackup\Cpanel\Cli::run(Object(JetBackup\Cpanel\CliArgs))
#11 /usr/local/jetapps/usr/bin/jetbackup(34): JetBackup\Cpanel\Cli::main(Array)
#12 {main}
[17 July 2021 03:55:03 PM -0300] [DEBUG] Executing "ssh -p 3022 [SERVER_HOSTNAME]@[BKP_SERVER_IP] -o ControlPath="/usr/local/jetapps/etc/.ssh/sockets/ssh_5f0fb79d6a7ada8352631cf2_kJRPXkLUGZUqqITn" -x mkdir -p './jetbackup_1_1_60f3274a27f7d2224c7a7292'"
[17 July 2021 03:55:03 PM -0300] [DEBUG] 
	Time: 0.08886194229126
	Exit code: 0, 
	Output: Array
(
)
As you can see by the order of both entries, the log suggests JetBackup tried to list the "jetbackup_1_1_60f3274a27f7d2224c7a7292" directory before creating it, which explains the "No such file or directory" error message.

In order to attempt to reproduce the issue I manually SSH'ed into the backup server using the same username and key and managed to run that same command ("ls -dl './jetbackup_1_1_60f3274a27f7d2224c7a7292'") with no issues, so it was indeed created where expected (the user's homedir):

Code: Select all

[[SERVER_HOSTNAME]@[BKP_SERVER] ~]$ ls -dl './jetbackup_1_1_60f3274a27f7d2224c7a7292'
drwxrwxr-x. 3 [username] [username] 4096 Jul 17 14:55 ./jetbackup_1_1_60f3274a27f7d2224c7a7292
[[SERVER_HOSTNAME]@[BKP_SERVER] ~]$ echo $?
0
[[SERVER_HOSTNAME]@[BKP_SERVER] ~]$
The test account can be found within this directory, its structure looks fine and the size matches. The backup did run then, something just didn't finish properly somehow.

Any idea what could be causing this behavior?

Thanks!
Morais
Posts: 6
Joined: July 15th, 2021, 11:40 pm

Re: Restricting JetBackup's SSH user to bare minimum

Post by Morais »

Oh, never mind, the problem is that "mv" is also required. The backup task is finishing correctly now with its SSH user limited to those 6 commands you mentioned plus mv. :D

Thanks, Richard! Have a nice weekend!
JetAppsRichard
Staff Member
Staff Member
Posts: 97
Joined: January 1st, 2021, 12:51 am

Re: Restricting JetBackup's SSH user to bare minimum

Post by JetAppsRichard »

Hello Morais,

Thank you for the update and apologies for my delay. I am glad to see you were able to resolve the reported issues after adding the 'mv' command. We will add this to our list of required Linux commands I provided initially. Please let us know if you run into any further issues or have any further questions.
Best Regards,
Richard, JetApps Team
Post Reply