[SAC] Backup of access file ?

strk · October 16, 2017, 7:50am

It looks to me that the master password file is not being
backed up, please correct me if I'm wrong.

How do we want to deal with that information ?
Shall each primary admin autonomously taking a backup
of that file ? Or should we consider it safe to include
those files in a clear-text backup ? Or shall we
just spread a "master password" to encrypt that file before
backing it up ?

Ideas welcome.

--strk;

robe · October 16, 2017, 10:09am

Depends where these plain text backups are kept. If the backups are on a system only accessible to SAC admins, seems fine to be clear text.
If accessbile by many then backing up with master password, or just having sys admins do a manual backup seems sufficient.

I imagine the file doesn't change all that often.
How does this change with your new password directory plan? I assume it would just be a folder instead of a single file.

-----Original Message-----
From: Sac [mailto:sac-bounces@lists.osgeo.org] On Behalf Of Sandro Santilli
Sent: Monday, October 16, 2017 3:50 AM
To: sac@lists.osgeo.org
Subject: [SAC] Backup of access file ?

It looks to me that the master password file is not being backed up, please correct me if I'm wrong.

How do we want to deal with that information ?
Shall each primary admin autonomously taking a backup of that file ? Or should we consider it safe to include those files in a clear-text backup ? Or shall we just spread a "master password" to encrypt that file before backing it up ?

Ideas welcome.

--strk;
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

strk · October 16, 2017, 10:26am

On Mon, Oct 16, 2017 at 06:09:51AM -0400, Regina Obe wrote:

Depends where these plain text backups are kept. If the backups are on a system only accessible to SAC admins, seems fine to be clear text.
If accessbile by many then backing up with master password, or just having sys admins do a manual backup seems sufficient.

I imagine the file doesn't change all that often.
How does this change with your new password directory plan? I assume it would just be a folder instead of a single file.

Folder instead of single file allows for more fine-grained
permissions, so that someone may be given access to the
password of one service but not of another.

When it comes to backup I guess those permissions flatten
down (ie: whoever can access backups can read all files).

--strk;

Martin_Spott · October 17, 2017, 5:54am

Sandro Santilli wrote:

It looks to me that the master password file is not being
backed up, please correct me if I'm wrong.

Sounds plausible - different opinions were, and probably still are
circulating on what to back up.

Shall each primary admin autonomously taking a backup
of that file ?

Yup, from my personal point of view this would be a pragmatic solution.

Cheers,
Martin.

--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

strk · October 17, 2017, 8:25am

On Tue, Oct 17, 2017 at 05:54:58AM +0000, Martin Spott wrote:

Sandro Santilli wrote:

> Shall each primary admin autonomously taking a backup
> of that file ?

Yup, from my personal point of view this would be a pragmatic solution.

I setup my rsync wrapper to do that. If others need it:

mkdir osgeo-secure-root; chmod 700 osgeo-secure-root
rsync -avz secure.osgeo.osuosl.org:/root/access* osgeo-secure-root

NOTE: will only copy what you have read access to (changing over time)

--strk;