--private-repos flag is being ignored in docker image

[Schroedingers-Cat]

Output of rest-server --version

docker images restic/rest-server:latest -q
4860e044dfed

How did you run rest-server exactly?

The docker-compose.yaml is:

version: '3.3'
services:
    rest-server:
        ports:
            - '450:8000'
        volumes:
            - '/home/restic/data:/data'
        container_name: rest_server
        image: restic/rest-server
        user: 1003:1003
        restart: always
        environment:
          - OPTIONS="--private-repos--append-only"

The files in /home/restic/data are owned by UID 1003 including the .htpaswd. The container is being started with docker-compose up. A user with a password has been created via the suggested way. That user (on a client machine) then proceeds to create a repo called test with the url rest:http://user:pass@servername:450/test.

What backend/server/service did you use to store the repository?

Ubuntu Server 18.04.05 and Docker version 20.10.12.

Expected behavior

I'd expect the output to look like this:

rest_server    | Data directory: /data
rest_server    | Authentication enabled
rest_server    | Private repositories enabled
rest_server    | start server on :8000
rest_server    | Denied access to directories for user `username` in /data/test

The Private repositories should read enabled.

Also note the last line when the server receives a call from the client to create a new repo test. I'd expect the server to deny access to the user user since the access request didn't include the user's directory as explained in https://github.com/restic/rest-server#usage.

Actual behavior

What actually happens is this:

Attaching to rest_server
rest_server    | Data directory: /data
rest_server    | Authentication enabled
rest_server    | Private repositories disabled
rest_server    | start server on :8000
rest_server    | Creating repository directories in /data/test

The server seems to ignore the private repos flag and allows the user user to create a repo outside of the user directory.

Steps to reproduce the behavior

Just use the docker-file from above as repro-case. You might want to create a user with the UID 1003 or change that UID to an existing user on your system. Same for the data/.htpasswd file and its ownership.

Do you have any idea what may have caused this?

Possibly the use of the OPTIONS-variable could be wrong since the expected formatting isn't documented. I had to dig through this repo's issues to guesstimate how it should be used, so that's likely a source for misunderstandings and outdated info.

It could also be just a bug. I think this is most likely the case since the server usually logs when it didn't recognize a flag which means it did recognize the --private-repos flag but failed to apply it.

Do you have an idea how to solve the issue?

Including a usage example for the OPTIONS variable in the README.md might help.

Did rest-server help you today? Did it make you happy in any way?

Absolutely! The server's append-only mode seems to be a great way for protecting previous backups from bad things happening on a client machine.

[rawtaz]

I have not read all you wrote, but the value for OPTIONS in your compose file has one argument, not two. You should put a space between the --private-repos and --append-only parts in the current --private-repos--append-only you have there.

[Schroedingers-Cat]

I already tried that. I should have included that in my bug report but didn't want to increase the noise since I found an issue here that suggested to not use a whitespace as separator for the flags.

Anyway, here's what happens with the environment section reading - OPTIONS="--private-repos --append-only":

Attaching to rest_server
rest_server    | 2023/01/06 23:37:25 error: unknown flag: --append-only"
rest_server exited with code 1

When changing the environment section to - OPTIONS="--append-only --private-repos", the output is basically vice versa:

Attaching to rest_server
rest_server    | 2023/01/06 23:39:06 error: unknown flag: --private-repos"
rest_server exited with code 1

[rawtaz]

It's just a syntax error in your compose file. The quotes around the arguments for OPTIONS are included in the value (Compose don't use quotes to delimit the value), so you need to remove them. Personally I always use the VAR: VALUE syntax instead of the VAR=VALUE one for reasons explained on the Internet, but whichever floats your boat. Regardless, just remove the quotes for starters so the value is just --append-only --private-repos instead of "--append-only --private-repos".

[Schroedingers-Cat]

Thanks a lot, removing the " from the OPTIONS-line fixed the issue and the flags are becoming effective.