# Security Concerns: nfs, rsync, cvsd, etc



## Hornpipe2 (Jan 12, 2013)

Lot of questions here and I'm not quite certain where to put them all, so I'll just file it under Networking and hope for the best.

I'm rebuilding my home server with a set of ports that I use quite frequently.  This is an "always on" machine that serves these roles:

Web Server
MySQL database (supports the Web server, localhost access only)
Login server (SSH)
Version Control for personal projects
NFS server
rsync remote-backup host
...and a pf firewall to separate between local- and remote- accesses.

I have just two user accounts for login, which would be my own, and root.  Installing the ports is going well, and I've had no issues, up until I got to NFS and rsync when I started to get some concerns about security and best-practices.  For example, www/lighttpd automagically creates a www user and a document-root under /var/www, databases/mysql-server does the same (mysql, and /var/db/mysql).

I don't have a user for nfsd.  I use NFS primarily to just dump files off my desktop when I need space - sort of a NAS.  Is it wise to create a user for nfsd, or re-use an existing one, or...?  What should I use for the user ID?  Where is a good place to put the NFS exported folder?

I don't have a user for rsync, either.  It defaults to using "nobody", but that needs to own a folder somewhere too.  Should I make an rsync user?  Can I reuse the NFS user?  Should I put the rsync folder inside my nfs/ folder?  Should my rsync folder *be* the nfs/ folder too?

What about all these other users in the /etc/passwd file... can I remove a bunch of them?

I hope I'm making some sense with my questions : )  I know I can do pretty much whatever I want and put the folders all over the place.  But I'm not sure if there is a "best" place to put them, or a recommended way to run them with safe permissions.


----------



## wblock@ (Jan 12, 2013)

In general, try not to reinvent things.  The system already has a setup for NFS, including recommended settings, users, and start scripts: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.html.

Removing default user accounts from /etc/passwd is... well, let me quote Buckaroo Banzai: "No, no, no, don't tug on that. You never know what it might be attached to."


----------



## Hornpipe2 (Jan 12, 2013)

I think I've found a solution.
* Export /home/<userid> in /etc/exports, with mapall=<userid>
* Put a folder /home/<userid>/.backup which is a target folder for rsync
* Later, use rsync from server to mirror /home/<userid> to offsite backup

The "ideal" solution is a dedicated local backup machine, but I can't buy more drives right now.

Is it possible to have rsync use different users for different targets?  Otherwise I end up with .backup owned by nobody:nobody, though it's in my <userid> folder.


----------

