Updates for bupstash

[deajan]

Thank you for taking the time to complete the comparaison table.

Before I merge this, I just need to understand one thing:

For the question "Can a compromised client delete backups?" you replaced "No (backup only key)" with "No (ssh permission)". I am aware that I should have named the backup only key a "sub key" as per bupstash documentation, but aren't sub keys the good way of adding backups without being able to delete them client side ?

[andrewchambers]

Sub keys limit decryption and nothing else, this may be something in the documentation that needs to be improved. As an example you can can delete data without having a decryption key at all.

Consider the case a user just uses ssh to run rm -rf ./my-repository - you need to restrict the users ability to run commands, for bupstash you must restrict them to only running bupstash serve --allow-put /path/to/repository to remove the ability to do anything except making new backups.

The correct way to prevent deletion is to limit access to what commands a user can run - this can be done an ssh forced command or something like 'su' or openbsd's 'doas' utility which limits how the 'bupstash serve' command is invoked.

I am going to add another simpler method to disable deletion for a repository as a whole in a future release. In the bupstash.io managed repository user interface this is a checkbox associated with each ssh key.

[deajan]

Thank you for the clarification. I indeed conifgured the authorized_keys file to run bupstash serve in the script, so, yes, I totally misunderstood the sub key concept ;)

[andrewchambers]

You are not the first person to get confused by that, I think its a sign I need to rewrite the documentation and explain it better.

[deajan]

I've merged your notes, after rewording some (the ssh and push backup ones). Feel free to open another PR if the wording does seem off.