OpenWrt/LEDE setup for SFTP

2

I want to use my router (A TP-Link WDR3600) running LEDE 17.01.4 as an SFTP server to store my backups created with borg. I already know how to perform backups and set up a USB drive, what I don't know is how to proper setup the SFTP server part for security and maintainability, like:

  • Do I have to create a dedicated user?
  • If so, how to restrict permissions to that backup user, so that it can't peek into sensitive files in the filesystem?

I am basically looking for the best practices to run a sane SFTP server, but using the limited environment of an embedded system. If possible, I'd prefer not to use openssh since it's not integrated within the UCI system.

My question might be too wide, please let me know if that's the case.

LivingSilver94

Posted 2018-03-19T00:07:56.357

Reputation: 37

FYI, Borg backup documentation link "BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption." (after searching it thought I'd might as well post it)

– Xen2050 – 2018-03-19T00:58:06.180

To be honest, I discovered borg has to be installed in the remote host to; that's not possible with OpenWrt. I'll to something like restic. – LivingSilver94 – 2018-03-19T20:57:44.550

I remember seeing a link about compiling Borg for OpenWRT, I'm not sure if it was successful but I assumed that's what you were doing. The docs say it doesn't have to be installed on the remote host, just needs ssh, but performance will suffer if it's not installed – Xen2050 – 2018-03-20T14:36:12.453

Answers

1

Do I have to create a dedicated user?

Yep. Create a non-privileged user named borg. Below is exceprt from OpenWrt documentation:

enter image description here

Then do this since you want to use the included dropbear and not openssh-server:

enter image description here

The way it works: any account that can SSH can use SFTP, and once you create the account on the local system, and optionally setup keys, you can SFTP immediately.

If so, how to restrict permissions to that backup user, so that it can't peek into sensitive files in the filesystem?

Non-root users won't be able to do much outside of their home directories, that isn't set with open permissions.

To prevent other non-root users from modifying borg-owned files, use borg's umask option with a value of 027 - this will make any new files inaccessible to anyone but root or borg.

LawrenceC

Posted 2018-03-19T00:07:56.357

Reputation: 63 487

Thanks for your reply, I'm gonna test it before marking it as the accepted answer. Just a thing tho: OpenWrt has an updated wiki based on LEDE's one. Next time please use the updated URL ;)

– LivingSilver94 – 2018-03-19T10:24:00.270

Unfortunately, my borg account is able to see, for example, both my WiFi key (which is stored in plain text in /etc/config/wireless) and the content of another user, say backup in /home/backup. Is OpenSSH's chroot the only viable solution? – LivingSilver94 – 2018-03-19T11:09:18.123

You need to change the permissions on /etc/config/wireless and any other account using chmod. A different SSH daemon won't affect that. – LawrenceC – 2018-03-19T12:37:22.260

@LawrenceC, why did you post printscreens of the openwrt wiki? Text copy (for copy paste) and perhaps a link to reference to the orinial post would have been better – pim – 2018-04-04T13:09:15.303

There's a link ... is it not working @pim? Improve post with suggested edits if you want. – LawrenceC – 2018-04-04T15:33:52.780

Asked: 2018-03-19T00:07:56.357

Viewed: 2 782 times

Active: 2018-03-19T00:24:15.120