Skip to content

Instantly share code, notes, and snippets.

@kylewlacy
Created October 3, 2018 05:57
Show Gist options
  • Save kylewlacy/99ec3859955a25dbbb94a56ce1b4de42 to your computer and use it in GitHub Desktop.
Save kylewlacy/99ec3859955a25dbbb94a56ce1b4de42 to your computer and use it in GitHub Desktop.
Demo of what `--default-permissions` does for restic
$ # 1. Set up a basic directory structure with a file owned by a different user
$ mkdir poc
$ cd poc
$ echo -n "password" > ./pass.txt
$ mkdir ./data
$ echo "Hello world" | tee ./data/public.txt
$ echo "very secret, shhh" | tee ./data/private.txt
$ chmod 0600 ./data/private.txt
$ sudo chown root:root ./data/private.txt # Can be owned by any other user
$ tree
.
├── data
│   ├── private.txt
│   └── public.txt
└── pass.txt
1 directory, 3 files
$ # 2. Create a restic repo and a snapshot
$ sudo restic init -r ./repo --password-file ./pass.txt
created restic repository a1b2c3d4e5 at ./repo
$ sudo restic backup ./data -r ./repo --password-file ./pass.txt
processed 2 files, 30 B in 0:00
snapshot abcd1234 saved
$ # 3. Mount the repo, steal private files
$ mkdir ./backup
$ sudo restic mount ./backup --allow-other -r ./repo --password-file ./pass.txt &
$ cat ./data/public.txt
Hello world
$ cat ./data/private.txt # Owned by root!
cat: ./data/private.txt: Permission denied
$ cat ./backup/snapshots/latest/data/public.txt
Hello world
$ cat ./backup/snapshots/latest/data/private.txt
very secret, shhh
$ # !!!
$ # We shouldn't be able to read private.txt in the mounted directory!
$ # 4. Mount the repo with --default-permissions, fail to steal private files
$ sudo fusermount -u ./backup
$ sudo restic mount ./backup --allow-other --default-permissions -r ./repo --password-file ./pass.txt &
$ cat ./backup/snapshots/latest/data/public.txt
Hello world
$ cat ./backup/snapshots/latest/data/private.txt
cat: ./backup/snapshots/latest/data/private.txt: Permission denied
$ # As expected, the original owner can still read the file with this option
$ sudo cat ./backup/snapshots/latest/data/private.txt
very secret, shhh
$ sudo fusermount -u ./backup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment