Re: [rdiff-backup-users] Clarification of --restrict-update-only

[Chris G]

On Thu, Feb 05, 2009 at 08:20:45AM -0500, Andrew Ferguson wrote:
> On Feb 5, 2009, at 8:13 AM, Dominic wrote:
>> The ones I think most interesting are first whether new repositories can 
>> be created (logically yes, but does it work?), and second 
>> --check-destination-dir (and automatic fixing of a previous failed 
>> backup). Logically --check-destination-dir should work because the action 
>> that rdiff-backup takes in this case is not a security risk (it is only 
>> undoing a backup that has failed, and a malicious user cannot use it to 
>> remove valid backups), but as it involves deleting data on the server 
>> --restrict-update-only might prevent it. I guess the best way to find out 
>> for sure is to create a failed backup and try it...
>
> Automatically repairing a failed backup will fail if you have 
> --restrict-update-only for exactly the reason Dominic describes. I have 
> thought this one through yet, but perhaps over the course of multiple 
> backup sessions, a malicious user could construct a source to fail in a bad 
> way when the repository tries to repair itself.
>
> An administrator paranoid and involved enough to be using 
> --restrict-update-only is assumed to be vigilant enough to pay attention 
> when rdiff-backup has failed (since it will error and backtrace) and 
> manually intervene to repair the repository.
>
Exactly, I will notice if I'm getting any errors from rdiff-backup and
will go and investigate.

>
> Regarding first creating new repositories, yes, I think that too will be 
> blocked. There was some discussion a few years ago about this: 
> http://savannah.nongnu.org/bugs/?16897   ... I don't remember what was 
> resolved. I suppose we could add os.mkdir() to the safe list.
>
It's not a big issue for me, if/when I set up new clients and/or new
hierarchies to back up I'm quite happy to do some manual backups or
remove the --restrict-update-only from teh destination temporarily.

-- 
Chris Green