How to create a user that can read all files and not change anything (for backup)

I need a user that I can login with from my NAS. This user should only be fit to read, but should be authorized for all files. It should not be able to change anything. The user facility of gnome is way too general and too indirect to be able to control such details. There probably is a way, I just don’t know how.

  1. Is it possible to create a user to use from ssh for read-only access of all files, without change authority?
  2. Is it possible to make it not appear on the regular gnome logon screen?

At the moment I have given it root access, but that seems very dangerous. I hope someone has a solution that is safer.

Kind regards, Guus Bonnema.

That’s easy, just change the user ID of that user to below 1000 (source):

sudo usermod -u 999 <username>

It’s somewhat of a “system user” then.

Without making it more complicated you can only make use of user groups. E.g. I guess it should probably not read “all” files (including /root etc.), so it depends on what your definition of “all files” is here.
I’d guess for a backup it’s typically mostly /home. If so, use a Linux group and make all files readable by that group. Users could then also chmod it to be only readable by them, which would effectively exlude the files from a backup.

E.g. as described here. There are also some other clever ideas there.

However, generally a root user for backups may also be fine, if it works the other way around, i.e. from your device to your NAS (backup device). Why do you need to login via SSH from your NAS? Can’t you also push backups/files from your laptop to your NAS?

1 Like

The reason I want to ssh from the NAS to the machine is that the NAS is less likely to get compromised than the users machine. If I access the NAS through the users machine, then the malware would not only be able to compromize the machine, but also any NAS connected to it in rw-mode. If it is ransom ware, then both the machine and the backups are encrypted. That is my main reason to want to connect from my NAS to the machine. My user machine has only ro-access to the NAS. Any rw actions I do via a special program, with separate address and userid/password.

So, to close the loop, I want the backup user that I use for ssh from the NAS to the usermachine to have ro-access to everything, but no modification access.

I am copying /home plus some system files (/etc) and the /root directory. I specifically do want to backup all files including very private files like private keys, because especially the keyfiles are irreplaceable.

Everything outside what I backup, is system software that I can reinstall from the internet or from a disk. So no need to backup.

The source you described in serverfault does gives some other angles, but I don’t understand everything. Especially the ACL instructions are very new to me. I have always worked with the standard linux access bits without trouble. It is since my aversion to ransom software that I started thinking about the access my regular user has to the NAS. This used to be just rw-access. With ransom ware that is just too handy.

So ideally, I would have ro-access from NAS to usermachine and ro-access from user-machine to NAS. For modifications I would use a NAS provided webprogram to update whatever I want to update. As that is a separate mechanism, no malware can reach the NAS from the user machine or the other way around.

So that is my reasoning.

From your answer, I am not sure if my goal is accomplishable or not. I will study on it a bit longer.

Thank you for taking the time to respond!

@rugk Thank you very much for this link. It gave me the solution I was looking for. Using acl I can finetune the read access as much as I want. For now I have created a system user (below 1000) with acl access to the directories that I need to backup. If I want to I can except the really secret files like gnupg and such. I am not sure whether to do that, because I do need a backup of these files.

Thank you for your response, I really appreciate the effort. I am marking this response as the anwer, but in it is your response containing the link that made all the difference!

Great you could find a solution.

Anyway, just let me emphasize I would actually still consider it more secure if you’d go the route to send data from your backup device to your NAS. With a special user and so on, you can limit it to backup-only data or so.

But yeah, depends on your threat model.

Also, if you could install Linux tools on your remote server/NAS, I would recommend a tool like borg, which can also have an append-only mode, protecting against ransomware that may want to encrypt data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.