FreeBSD Backup

[James Long]

> Date: Tue, 12 Dec 2006 07:05:18 -0800 (PST)
> From: probsd org <probsdorg at yahoo.com>
> Subject: RE: FreeBSD Backup
> To: freebsd-questions at freebsd.org
> Message-ID: <20061212150519.65264.qmail at web52409.mail.yahoo.com>
> Content-Type: text/plain; charset=iso-8859-1
> 
> This is assuming you have another account on another freebsd/linux box with a significant amount of space. Works great on a live filesystem. I use /, /var, /tmp, and /usr as examples.
>    
>   dump -L -0f - /usr | ssh -C login at other-freebsd-server "cat > /usr/home/login/usr.dump"
>   dump -L -0f - /tmp | ssh -C login at other-freebsd-server "cat > /usr/home/login/tmp.dump"
>   dump -L -0f - /var | ssh -C login at other-freebsd-server "cat > /usr/home/login/var.dump"
>   dump -L -0f - / | ssh -C login at other-freebsd-server "cat > /usr/home/login/root.dump"

Watch your umask when doing stuff like the above.  If /usr/home/login 
is world-readable (or group-readable), and your umask permits 
world-readable files, then all your secure chown root / chmod 600 
files are suddenly world readable to any rogueuser that can 
"cp /usr/home/login/root.dump ~rogueuser/".

I prefer to explicitly set the umask:

dump -L -0f - / | ssh -i ~root/.ssh/special_backup_dsa_key \
  login at other-freebsd-server "umask 177; cat > /usr/home/login/root.dump"

One could/should of course also "chmod 700 /usr/home/login"