search

garethgeorge / backrest

Backrest is a web UI and orchestrator for restic backup.
GNU General Public License v3.0
1.72k stars 50 forks source link

Insecure login on LAN #560

Open ManuXD32 opened 1 week ago

ManuXD32 commented 1 week ago

Describe the bug If you login on a machine, the account stays opened, so if you access the webui from another machine you can get to the web page without loging in again

To Reproduce

  1. Setup backrest on a server with port 0.0.0.0
  2. Login from machine 2
  3. Try to login from machine 3

Expected behavior Ask for login on different machines

Screenshots If applicable, add screenshots to help explain your problem.

Platform Info

garethgeorge commented 1 week ago

Backrest supports password authentication to address multiuser installs where other users of the system need to be restricted from accessing the UI.

Interestingly, if running multiple installs under different user accounts I think one would also have problems with each install trying to bind to port 8989. For now, on a multi user system backrest should always be used with authentication enabled and only on a single user account.