Created
October 3, 2018 05:57
-
-
Save kylewlacy/99ec3859955a25dbbb94a56ce1b4de42 to your computer and use it in GitHub Desktop.
Demo of what `--default-permissions` does for restic
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ # 1. Set up a basic directory structure with a file owned by a different user | |
$ mkdir poc | |
$ cd poc | |
$ echo -n "password" > ./pass.txt | |
$ mkdir ./data | |
$ echo "Hello world" | tee ./data/public.txt | |
$ echo "very secret, shhh" | tee ./data/private.txt | |
$ chmod 0600 ./data/private.txt | |
$ sudo chown root:root ./data/private.txt # Can be owned by any other user | |
$ tree | |
. | |
├── data | |
│ ├── private.txt | |
│ └── public.txt | |
└── pass.txt | |
1 directory, 3 files | |
$ # 2. Create a restic repo and a snapshot | |
$ sudo restic init -r ./repo --password-file ./pass.txt | |
created restic repository a1b2c3d4e5 at ./repo | |
$ sudo restic backup ./data -r ./repo --password-file ./pass.txt | |
processed 2 files, 30 B in 0:00 | |
snapshot abcd1234 saved | |
$ # 3. Mount the repo, steal private files | |
$ mkdir ./backup | |
$ sudo restic mount ./backup --allow-other -r ./repo --password-file ./pass.txt & | |
$ cat ./data/public.txt | |
Hello world | |
$ cat ./data/private.txt # Owned by root! | |
cat: ./data/private.txt: Permission denied | |
$ cat ./backup/snapshots/latest/data/public.txt | |
Hello world | |
$ cat ./backup/snapshots/latest/data/private.txt | |
very secret, shhh | |
$ # !!! | |
$ # We shouldn't be able to read private.txt in the mounted directory! | |
$ # 4. Mount the repo with --default-permissions, fail to steal private files | |
$ sudo fusermount -u ./backup | |
$ sudo restic mount ./backup --allow-other --default-permissions -r ./repo --password-file ./pass.txt & | |
$ cat ./backup/snapshots/latest/data/public.txt | |
Hello world | |
$ cat ./backup/snapshots/latest/data/private.txt | |
cat: ./backup/snapshots/latest/data/private.txt: Permission denied | |
$ # As expected, the original owner can still read the file with this option | |
$ sudo cat ./backup/snapshots/latest/data/private.txt | |
very secret, shhh | |
$ sudo fusermount -u ./backup |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment