2
2
mirror of https://github.com/octoleo/restic.git synced 2024-12-22 02:48:55 +00:00

Update docs according to comments from MichaelEischer in PR #3656

This commit is contained in:
Luc Gommans 2022-02-20 21:44:18 +01:00 committed by Leo R. Lundgren
parent 676d5d498c
commit 80969a6347
2 changed files with 19 additions and 14 deletions

View File

@ -319,9 +319,8 @@ four Sundays, but remove the rest:
8 snapshots
The result of the ``forget --keep-daily`` operation only partially depends on
when it is run; it will only count the days for which a snapshot exists,
although snapshots with a `time` lying in the future are ignored and never
removed. This is a safety feature: it prevents restic from removing snapshots
when it is run, counting only the days for which a snapshot exists.
This is a safety feature: it prevents restic from removing snapshots
when no new ones are created. Otherwise, running ``forget --keep-daily 4`` on
a Friday (without any snapshot Monday to Thursday) would remove all snapshots!
@ -346,6 +345,10 @@ could specify:
Security considerations in append-only mode
===========================================
.. note:: TL;DR: append-only repositories should use the ``--keep-within``
option. This will allow you to notice problems with the backup or the
compromised host during the specified duration.
To prevent a compromised backup client from deleting its backups (for example
due to a ransomware infection), a repository service/backend can serve the
repository in a so-called append-only mode. This means that the repository can
@ -358,23 +361,24 @@ standard backends do. To support append-only with such a backend, one can use
.. _rclone: https://rclone.org/commands/rclone_serve_restic/
To remove snapshots and recover the corresponding disk space, the ``forget``
and ``prune`` commands must have full read, write and delete access to the
and ``prune`` commands require full read, write and delete access to the
repository. If an attacker has this, the protection offered by append-only
mode is naturally void.
However, even with append-only mode active, an attacker who is able to add
additional and empty or otherwise useless snapshots to the repository can
potentially cause a situation where a trusted client running ``forget`` with
certain ``--keep-*`` options might unknowingly remove legitimate snapshots,
leaving only the attackers useless snapshots.
garbage snapshots to the repository could bring the snapshot list into a state
where all legitimate snapshots are deleted by a client with full access. By
running ``forget`` with certain ``--keep-*`` options as repository
administrator, legitimate snapshots might be unknowingly removed, leaving only
the attacker's useless snapshots.
For example, if the ``forget`` policy is to keep three weekly snapshots, and
the attacker adds an empty snapshot for each of the last three weeks, all with
a timestamp (see the ``backup`` command's ``-`time`` option) slightly more
a timestamp (see the ``backup`` command's ``--time`` option) slightly more
recent than the existing snapshots (but still within the target week), then the
next time the repository administrator (or scheduled job) runs the ``forget``
next time the repository administrator (or a scheduled job) runs the ``forget``
command with this policy, the legitimate snapshots will be removed (since the
policy will use the most recent snapshot within each week). Even without
policy will keep only the most recent snapshot within each week). Even without
running ``prune``, recovering data would be messy and some metadata lost.
To avoid this, ``forget`` policies applied to append-only repositories should

View File

@ -632,7 +632,7 @@ system making backups could:
and wait until a trusted host has used ``forget`` often enough to remove all
correct snapshots.
- Create a garbage snapshot for every existing snapshot with a slightly
different timestamp and wait until certain ``forget`` configurations has been
different timestamp and wait until certain ``forget`` configurations have been
run, thereby removing all correct snapshots at once.
An adversary with write access to your files at the storage location could:
@ -666,5 +666,6 @@ An adversary who has a leaked (decrypted) key for a repository could:
same repository, an attacker will get access to the backup data of every host.
Note that since the local encryption key gives access to the master key, a
password change will not prevent this. Changing the master key can currently
be done using the ``copy`` command, which moves the data into a new repository
with a new master key, or by making a completely new repository and new backup.
only be done using the ``copy`` command, which moves the data into a new
repository with a new master key, or by making a completely new repository
and new backup.