Open pacien opened 2 years ago
I'm really surprised this isn't easily possible right now. Basically it means that if i don't wanna trust the backup host, i must use a push configuration. In my case i'd like to use pull because my local backup host is not in my DMZ, but i also don't want to have to protect the backup host and just make it never decrypt the data.
Anyone using the wrapper script workaround with resumable sends should probably note the following issue: Security: Resume tokens can send anything. #14153
Adding an explicit --raw
option when resuming a send can guard against malicious tokens as far as unintentional decryption is concerned.
Describe the feature would like to see added to OpenZFS
Add a new delegable permission
send-raw
to allow some user/group to send dataset snapshots, but only in their raw/encrypted form.How will this feature improve OpenZFS?
Currently,
zfs allow send
allows some user/group to send an encrypted dataset in both its encrypted and decrypted forms. Allowing the latter is not always desirable.For example, one might want to set up pull-mode backups without the backup host being able to access the content of the dataset. For this, the pull user should not be allowed to do non-raw sends.
Additional context
A workaround is to have
zfs send --raw
in a script and have the backup user call only that wrapper, throughsetuid
orsudo
. This integrates badly with existing ZFS-based backup tools.