search

restic / rest-server

Rest Server is a high performance HTTP server that implements restic's REST backend API.
BSD 2-Clause "Simplified" License
943 stars 140 forks source link

Add the possibility to disable the use of "--time"-flag (when --append-only is active) #292

Closed OneBitAhead closed 1 month ago

OneBitAhead commented 1 month ago

Output of rest-server --version

What should rest-server do differently?

(Optional) disable the usage of the restic flag --time for rest-server started in --append-only mode. With this made possible, an attacker cannot write backups with specific timestamps in the past to use a nigthly run "forget and purge" logic on the backup server to compromise ALL old backups.

What are you trying to do? What is your use case?

My scenario is like this (I leave out the specific security details to describe the base problem):

Nightly the DATA-SERVER writes its backups (different users) without any time flag. Then a cron job on the BACKUP-SERVER does a "forget and prune" run to store only the last X backups of a week, month, year....

So far so good: BUT if an attacker gains access to the DATA_SERVER (which has services running that are accessible to the outside world) he can not delete backups - because of the append-only-mode - BUT he can write new corrupted backups with a timestamp exactly one second after each existing "good" backup with use of the --time flag.

Then if the cron job starts nightly it will forget and prune all the valid backups and I end up with only corrupted backups.

If there would be a way to "switch-off" the --time-flag usage in the rest server, one could use the forget and purge automatically. If not I will need a complex way of make a distinction of backups made by my logic and ones made by a possible attacker...

I have read the documentation concerning Security considerations in append-only mode where the option --keep-within is proposed as an option (but this will only work for a specific scenario).

Did rest-server help you today? Did it make you happy in any way?

Besides: I really love restic and the rest-server for it. It works like charme. I tried a lot of other backup solutions but none was that easy to use out-of-the-box :)

Escpecially the possibility to use the (nearly :)) perfect "private-repo" and "append-only" modes!!!

Thank you!

MichaelEischer commented 1 month ago

disable the usage of the restic flag --time for rest-server started in --append-only mode.

rest-server is unable to decrypt the snapshot content and therefore cannot provide this assurance. Preventing attackers from manipulating snapshots will require something like https://github.com/restic/restic/issues/3195 . So, this has to be implemented on the restic side.

OneBitAhead commented 1 month ago

Ok, I understand that this is not a "problem" of the rest-server. Thanks for pointing that out :)