New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: Privilege separation for archive_command & other Barman functions #123
Comments
An obvious way to mitigate this is to opt out of using WAL shipping ( |
Also consider what happens when you have several servers being backed up to the same barman server:
You can ssh from postgres@pgXX -> barman@barman01, and then any compromise of ALL backups for ALL of them. ALSO, if you're doing remote recovery ("definitely the most common way") then you need ssh from barman@barman01 --> postgres@pgXX, then any compromise of ANY of the postgres servers can be relayed via the barman server to access ALL of the postgres servers:
That sounds a little worrying... but I'm new to Barman, so am I getting that right? http://docs.pgbarman.org/release/2.4/#one-barman-many-postgresql-servers
http://docs.pgbarman.org/release/2.4/#preliminary-steps
|
Consider a common setup where user
postgres
onpg
runs a PostgreSQL server andbarman
onbackup
runs Barman, andpostgres@pg
has passwordless SSH pubkey access tobarman@backup
to perform the recommendedNow consider a situation where the
postgres@pg
user is compromised and an attacker gains shell access on that user. They can nowssh barman@backup
and silently corrupt the backup.To prevent this, we need privilege separation between
archive_command
and other functions of Barman.We might be able to solve this without changes to Barman, for example by leveraging forced commands in
authorized_keys
, or by using another user to perform thearchive_command
and UNIX privileges to separate it from the rest of Barman, or some combination thereof.A heads-up in the documentation and an example configuration mitigating this would be appreciated.
The text was updated successfully, but these errors were encountered: