I've had good luck using `zfs allow` to grant non-root backup users the ability to only add snapshots to their datasets to avoid the "attacker compromises prod and then jumps to the backup server and deleted the backups". It is an extra step to clean up old snapshots, but worth the risk-reduction.
You can also split administration up so that, e.g., my friend sending me snapshots can't even log in as root on his backup server.
For the receiving side the user needs `receive` permission for the dataset to receive new snapshots, but it's convenient to grant `create,mount` as well so the user can send new child datasets which may have mount options in the source dataset, relying on inheritance for the allow permissions to apply to the child datasets.
On the sending side `send` is enough, but for tools like syncoid and znapzend `hold,release` are useful as well since typically they hold the latest snapshot on the source which the destination also has so that it can't be deleted on the source before it's used to send an incremental stream up to a newer snapshot only available on the source.
I've had good luck using `zfs allow` to grant non-root backup users the ability to only add snapshots to their datasets to avoid the "attacker compromises prod and then jumps to the backup server and deleted the backups". It is an extra step to clean up old snapshots, but worth the risk-reduction.
You can also split administration up so that, e.g., my friend sending me snapshots can't even log in as root on his backup server.
A good tip thanks, I did not know about 'zfs allow', I'll be playing with that this weekend.
`zfs allow` is rather complex. What specific set of permissions are you allowing your users?
For the receiving side the user needs `receive` permission for the dataset to receive new snapshots, but it's convenient to grant `create,mount` as well so the user can send new child datasets which may have mount options in the source dataset, relying on inheritance for the allow permissions to apply to the child datasets.
On the sending side `send` is enough, but for tools like syncoid and znapzend `hold,release` are useful as well since typically they hold the latest snapshot on the source which the destination also has so that it can't be deleted on the source before it's used to send an incremental stream up to a newer snapshot only available on the source.
[dead]