Page 1 of 1

HBS3 security concerns

Posted: Mon Oct 26, 2020 7:53 pm
by TomTom
Hi,
I'm trying to update my backup policy to include offsite backups.
A relative of mine also has a QNAP running and I plan to mutually backup files to the other NAS over VPN.
Local test using HBS3 so far is ok when I use QuDeDup (without that I see problems with RTRR eating up the available RAM).

Now my question regarding security:
  • When I configure the NAS and activate the rsync/rtrr server there is just the user RSYNC and its password.
  • During configuration of the source NAS only this password is asked, no other parameters.
  • I can select every shared folder as a destination, it seems
  • checking the backup files on the destination folder, the owner of this file is admin, so I assume the process can place the files everywhere
  • I tried a restore of normal files, generated by a normal user on the destination NAS, files where not produced by a backup
  • and now the critical point: the restore process just copied the plain files from the destination NAS to the source NAS
It seems to me that by starting the RTRR process you grant kind of admin access to the destination NAS (at least regarding file permissions).
How is it possible to avoid that?

I hope its just a silly question and not a problem in the security concept of HBS3.

Thanks for any ideas.

Re: HBS3 security concerns

Posted: Tue Nov 10, 2020 2:40 am
by TomTom
Is there a way to give the RTRR process different privileges in order to control which part of the remote NAS is read from or written to?