Re: [rdiff-backup-users] Clarification of --restrict-update-only

[Andrew Ferguson]

On Feb 5, 2009, at 8:13 AM, Dominic wrote:
> The ones I think most interesting are first whether new repositories  
> can be created (logically yes, but does it work?), and second -- 
> check-destination-dir (and automatic fixing of a previous failed  
> backup). Logically --check-destination-dir should work because the  
> action that rdiff-backup takes in this case is not a security risk  
> (it is only undoing a backup that has failed, and a malicious user  
> cannot use it to remove valid backups), but as it involves deleting  
> data on the server --restrict-update-only might prevent it. I guess  
> the best way to find out for sure is to create a failed backup and  
> try it...


Automatically repairing a failed backup will fail if you have -- 
restrict-update-only for exactly the reason Dominic describes. I have  
thought this one through yet, but perhaps over the course of multiple  
backup sessions, a malicious user could construct a source to fail in  
a bad way when the repository tries to repair itself.

An administrator paranoid and involved enough to be using --restrict- 
update-only is assumed to be vigilant enough to pay attention when  
rdiff-backup has failed (since it will error and backtrace) and  
manually intervene to repair the repository.


Regarding first creating new repositories, yes, I think that too will  
be blocked. There was some discussion a few years ago about this: http://savannah.nongnu.org/bugs/?16897 
   ... I don't remember what was resolved. I suppose we could add  
os.mkdir() to the safe list.



Andrew