From ac0b9fbdae10a18a9ef18083ad4320e138ecfbd7 Mon Sep 17 00:00:00 2001 From: enkore Date: Wed, 10 Jan 2018 12:31:06 +0100 Subject: [PATCH 1/3] sec docs: explicitly note what happens OUTSIDE the attack model (cherry picked from commit 674ce72fdadbd50a0c36c9e316632603a5a3225c) --- docs/internals/security.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/internals/security.rst b/docs/internals/security.rst index 375aee7e0..16a0fd092 100644 --- a/docs/internals/security.rst +++ b/docs/internals/security.rst @@ -37,6 +37,10 @@ Under these circumstances Borg guarantees that the attacker cannot The attacker can always impose a denial of service per definition (he could forbid connections to the repository, or delete it entirely). +When the above attack model is extended to include multiple clients +independently updating the same repository, then Borg fails to provide +confidentiality (i.e. guarantees 3) and 4) do not apply any more). + .. _security_structural_auth: Structural Authentication From 0555fe4869930c1225ae5b101b3277d5fdbae880 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Fri, 9 Mar 2018 18:02:57 +0100 Subject: [PATCH 2/3] security docs: add about combining compression and encryption (cherry picked from commit be8913a93c499f4e39c9fb24a72bd478d4efecea) --- docs/internals/security.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/internals/security.rst b/docs/internals/security.rst index 16a0fd092..f785a9591 100644 --- a/docs/internals/security.rst +++ b/docs/internals/security.rst @@ -373,3 +373,16 @@ while libssl implements TLS and related protocols. The latter is not used by Borg (cf. `Remote RPC protocol security`_, Borg itself does not implement any network access) and historically contained most vulnerabilities, especially critical ones. The static binaries released by the project contain neither libssl nor the Python ssl/_ssl modules. + +Compression and Encryption +========================== + +Combining encryption with compression can be insecure in some contexts (e.g. online protocols). + +There was some discussion about this in `github issue #1040`_ and for Borg some developers +concluded this is no problem at all, some concluded this is hard and extremely slow to exploit +and thus no problem in practice. + +No matter what, there is always the option not to use compression if you are worried about this. + +.. _github issue #1040: https://github.com/borgbackup/borg/issues/1040 From 2f443cae73143fac3bcbe79222f22e8a1469f846 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Fri, 9 Mar 2018 23:27:31 +0100 Subject: [PATCH 3/3] docs: extend append-only repo rollback docs, fixes #3579 (cherry picked from commit 451b22ee511c2470f4df33bbb88d8c5cd5ecb172) --- docs/usage/notes.rst | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/usage/notes.rst b/docs/usage/notes.rst index d5415d0e9..e5a912bfa 100644 --- a/docs/usage/notes.rst +++ b/docs/usage/notes.rst @@ -201,15 +201,28 @@ copy just in case something goes wrong during the recovery. Since recovery is do deleting some files, a hard link copy (``cp -al``) is sufficient. The first step to reset the repository to transaction 5, the last uncompromised transaction, -is to remove the ``hints.N`` and ``index.N`` files in the repository (these two files are -always expendable). In this example N is 13. +is to remove the ``hints.N``, ``index.N`` and ``integrity.N``files in the repository (these +files are always expendable). In this example N is 13. Then remove or move all segment files from the segment directories in ``data/`` starting with file 6:: rm data/**/{6..13} -That's all to it. +That's all to do in the repository. + +If you want to access this rollbacked repository from a client that already has +a cache for this repository, the cache will reflect a newer repository state +than what you actually have in the repository now, after the rollback. + +Thus, you need to clear the cache:: + + borg delete --cache-only repo + +The cache will get rebuilt automatically. Depending on repo size and archive +count, it may take a while. + +You also will need to remove ~/.config/borg/security/REPOID/manifest-timestamp. Drawbacks +++++++++