cmd/serve/restic: add append-only mode #2186
Conversation
|
Rclone will still allow objects to be overwritten. It used to have a check to disallow that but we decided it wasn't necessary. Do you need that for an append only mode? |
|
Restic never overwrites existing objects so I think we should be fine as-is. |
|
Thanks for clarifying that - it looks great :-) |
|
Oh, thanks a lot for implementing this feature! For it to work correctly, we need to check that no files are overwritten. It's something that restic itself won't do, but it's relevant to the situation where the append-only mode is needed. I've described the scenario here: restic/caddy#2 (comment) Attackers may very well talk to rclone directly and instruct it to overwrite files. When attackers gained access to a server, they learn the credentials needed to access rclone (e.g. an SSH key or username/password for the REST server). Usually, this is enough for them to empty the repo and destroy all backups (after all, deleting files in the repo is needed for The REST server we've implemented does not have such a check in the We need to add this test to rclone, but it should only be active in append-only mode. Is there a way (with the FS implementation of rclone) to maybe simulate I've opened #2195 to track this issue. |
3 participants
This PR adds an optional append-only mode to the restic serve cmd, similar to the one implemented in restic's rest-server. Specifically, deletes to any resources that are not locks are disallowed. For reference, here are the spots in the rest-server handlers where this is used:
https://github.com/restic/rest-server/blob/master/handlers.go#L233
https://github.com/restic/rest-server/blob/master/handlers.go#L527