[SOLVED] Permission Role that allows backups but denies restores ?

S

SRU

Member
Dec 2, 2020
38
4
13
25
Hello,
Fearing ransomware attacks, I am searching for a role that allows backups but denies restores or deleting of backups – such a role does not seem to exist.
It would be fine to use:

DatastoreBackup
"Can backup and restore owned backups"

and change the owner to another API token immediately after a successful backup has been performed.
This would reduce the access rights to the expected behavior because from that point in time the backup is no longer owned.
How would I do this?
 
Datastore.backup permission does not allow backups to be deleted from PVE. The attack should get PBS root credentials (or other used with admin privileges) that allow snapshot/namespace/datastore deletion.

Which event are you trying to cover by not allowing PVE to restore backups?
 
  • Like
Reactions: SRU
VictorSTS said:
Datastore.backup permission does not allow backups to be deleted from PVE. The attack should get PBS root credentials (or other used with admin privileges) that allow snapshot/namespace/datastore deletion.

Which event are you trying to cover by not allowing PVE to restore backups?
Click to expand...
I basically wanted to implement the guidelines that azure publish and will re-think if that is sufficient.
Thanks, Stefan
 
You must log in or register to reply here.
Top Bottom