After further contemplation on the topic of backups I realized that every machine I run is a possible target and thus is a possible entrypoint which may compromise the backup storage.

To minimize the impact of a possible malificent actor manipulating my entire backup storage I am thinking of adding a storage space and a user for each backup configuration. That would result in the backups being completely isolated from each other thus making sure only a compromised machine may get a contaminated backup.

In order to simplify the access to the backups one might also create a separate group for reading from the backups. A read only interface would make for easy access whilst maintaining high security.

The defaults for useradd should be correct but if one would like to check these. The following command could be used.

useradd -D

The previous command could also set the user defaults by including the preferred setting on the command line.

useradd -D -g customgroup

The following commands will add a user with a custom home folder which should be located in the datastore in order to avoid creating unecessary home folders.

useradd -d /datastore/d0/ -c "Storage Point PC0" storagepointpc0 # Will create the user

passwd storagepointpc0 # Will set the password and make the user active

smbpasswd -a storagepointpc0 # Sets password for samba user and enables user

Choosing appropriate user names and storage point names is another topic that may still need some thought.