[SOLVED] Permission Role that allows backups but denies restores ?

SRU

Member
Dec 2, 2020
38
4
13
24
Hello,
Fearing ransomware attacks, I am searching for a role that allows backups but denies restores or deleting of backups – such a role does not seem to exist.
It would be fine to use:

DatastoreBackup
"Can backup and restore owned backups"

and change the owner to another API token immediately after a successful backup has been performed.
This would reduce the access rights to the expected behavior because from that point in time the backup is no longer owned.
How would I do this?
 
Datastore.backup permission does not allow backups to be deleted from PVE. The attack should get PBS root credentials (or other used with admin privileges) that allow snapshot/namespace/datastore deletion.

Which event are you trying to cover by not allowing PVE to restore backups?
 
  • Like
Reactions: SRU
Datastore.backup permission does not allow backups to be deleted from PVE. The attack should get PBS root credentials (or other used with admin privileges) that allow snapshot/namespace/datastore deletion.

Which event are you trying to cover by not allowing PVE to restore backups?
I basically wanted to implement the guidelines that azure publish and will re-think if that is sufficient.
Thanks, Stefan
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!