Skip to content

Add write-only mode #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dionorgua opened this issue May 6, 2020 · 4 comments
Open

Add write-only mode #110

dionorgua opened this issue May 6, 2020 · 4 comments

Comments

@dionorgua
Copy link

dionorgua commented May 6, 2020
edited
Loading

Output of rest-server --version

rest-server 0.9.7 compiled with go1.10 on linux/amd64

What should rest-server do differently?

Currently we've --append-only mode that tries to minimize risks of access to repo by attacker from compromised host.

So there is no way to remove data from repo. But there is still a way to 'restore' whatever attacker wants from --append-only repo.

It would be great to also have --write-only like option to completely disable read access to data subdir. I know that restic may need it during backup, but it's actually not strictly required: usually parent snapshot is already cached. And when not cached, it's still possible to perform slower backup with --force option that don't need that snapshot at all. Ideally restic should be aware of such write-only repo and automatically fallback to --force but not necessary.
@wojas
Copy link
Contributor

wojas commented May 11, 2020

This sounds a bit like a hack that depends on restic internal behavior that can change with any release and break such a setup. I don't think it's a good idea to support such a feature before restic itself officially supports such a setup.

@dionorgua
Copy link
Author

I agree that this is a bit tricky, but can't say that it much different from --append-only hack.

Whole rest-server itself depends on restic internal behavior and can't be replaced with something standard like WebDAV. Currently rest-server has hardcoded restic repository layout (keys/locks/snapshots/data/index), hardcoded data layout (about one level of subdirs named with two first characters).

They were even hosted in one git repo in the past.

PS. Currently restic doesn't properly supports --append-only. Even after 403 error it still tries to to delete blob again and again multiple times.

@dionorgua dionorgua mentioned this issue May 27, 2022
Open
7 tasks
@JsBergbau
Copy link
Contributor

@dionorgua

Did you know about the asymmetric encryption feature idea? restic/restic#187
This would have the same results, but a lot more advantages, since this works also with other backends than rest-server.

@dionorgua
Copy link
Author

Asymmetric encryption is related but not same..
Even if it's implemented on file/pack level it's still possible for attacker that got access to one of hosts to just delete everything on backend. append-only + asymmetric most likely is same as proposed write-only mode.

But it also have exactly same challenges: restic needs a way to download and decrypt current index and latest snapshot tree. Or just fallback to full backup mode in case of empty local cache.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wojas @dionorgua @JsBergbau