Opinion: Permissions: Write but not read for security purposes?

Please poke holes in my plan.

Sure. Only removing read does not prevent you from problems. Any attempt to modify requires write permissions. An attacker can then still write the file empty (he only needs to know where the file is).

Why not lock down anything on that disk regarding backups except for appending new data?

Possible setup:

/backups/20160911/backup.tar.gz
/backups/20160912/backup.tar.gz
/backups/20160913/backup.tar.gz

Create a script that does

chattr -R +a /backups/
chattr -R +i /backups/*.tar.gz

+i means "immutable"; nothing can be done to these files or directories. Not even root can alter it (that includes removing, editing, writing, adding new files. Anything). Even root needs to remove this (with -i) before root can do something to these files.

+a means "append"; Same rules as -i with 1 exception. Nobody is allowed to any alterations to the file or directory except adding to it. And again: even root needs to remove this (with a -a) before the file or directory can be changed where the change is not appending stuff to it.

(above might need some tweaking. 1 big backup file might be ehm not the best approach. Something with sub directories and file might be better. So that would need an adjustment to these 2 lines: for instance ONLY do this on old directories and do "today" manually when the backup is done. Then this becomes

chattr -R +i /backups/{not_today}
chattr -R +a /backups/{today}

Have this script run at intervals so if at any time someone changes something inside /backups/ this resets the permissions for all backups.

Directories and files can be added to "today" and after your backup is done you could add the +i manually. Create a good admin password and nobody but the admin is going to touch these files. Ever.

By the way: also consider storing backups on-line. We have our backups in a multiple of google instances (we have 3 live systems on 3 continents that share the data each making a fallback instance on another continent and those each share a backup system).


Remove the read permission from the files or directories you want unreadible.

The permissions are:

u - Owner
g - group
o - others

Turn off read for everyone and right for everyone you want to have write access.

$ chmod -R ugo-r [path]

The directory [path] and all it's files and subdirectories will have this attribute. In this case the -r (no read access).


Nothing is as safe as disconnected backups. Download your backups onto an external drive and unplug it from the network after copying the backup onto it. Get a number of drives and rotate them.

For example, buy 5 1Tb drives (total cost < $300). Assign 3 of them as daily backups; each day connect one and copy the backup onto it, then diconnect. Assign one as a weekly backup and one as monthly and do the same.

Keep some of the drives in a second location in case of fire or theft.

This approach secures you against many different data loss threats.

If your system is all server based, use a cloud equivalent. Set up some servers on different providers (amazon, google, azure). Daily connect to another server and sftp your backup onto that server then disconnect. Keep multiple copies so you're not backing up over a good copy.

But nothing is as un-hackable as a physical copy you disconnect from any network and keep in an offsite location.