Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"compromised client" threat model #8193

Open
aerusso opened this issue Apr 21, 2024 · 1 comment
Open

"compromised client" threat model #8193

aerusso opened this issue Apr 21, 2024 · 1 comment
Labels
question security

Comments

@aerusso
Copy link

aerusso commented Apr 21, 2024

Have you checked borgbackup docs, FAQ, and open GitHub issues?

Yes, I've read hosting repositories, protecting against a hacked backup client, and the attack model pages.

Is this a BUG / ISSUE report or a QUESTION?

Question

System information. For client/server mode post info for both machines.

(not relevant)

Full borg commandline that lead to the problem (leave away excludes and passwords)

(not relevant)

Describe the problem you're observing your question.

Hello! First of all, thanks for the excellent work! I have a few questions that I was not able to find nailed down in the docs, or in an issues here on github. I'm sorry if this is covered elsewhere (and if it has, I'd like to get it referenced in the FAQ to cut down on this kind of noise question in the future).

I'm considering a case where I have one machine (the borg client) that might be subject to an "evil maid attack". I have another machine (the borg backup server) that I'm assuming is totally secure. I'm planning on running borg serve --append-only --restrict-to-repository /mnt/somewhere/for/client via socat, as described in backing up in pull mode.

I have a few questions:

  1. The attack model page suggests this setup is not in-scope (but other pages suggest otherwise). Can a remote client cause borg serve to "go rogue" and (say, e.g.) execute arbitrary commands on the backup server? I.e., would you consider this a security vulnerability worth a CVE?
  2. Obviously a malicious client could corrupt the backed up data. But, can a malicious client corrupt the backup in such a way that a subsequent borg restore or borg mount does anything worse than serve malicious/corrupt files? E.g., could a malicious client cause a subsequent borg command on that dataset to become compromised? (I'm assuming this would be considered a security vulnerability worth a CVE?)
  3. I'd appreciate anything else in this vein that perhaps I'm missing here. Maybe, have there been vulnerabilities like this in borg before or do you recommend server-side snapshotting of the borg database?
@ThomasWaldmann ThomasWaldmann changed the title [QUESTION] compromised client threat model "compromised client" threat model Apr 22, 2024
@ThomasWaldmann
Copy link
Member

ThomasWaldmann commented Apr 22, 2024
edited

AFAIK:

  1. yes, the borg threat model is different. no arbitrary command execution, see API in remote.py. yes.
  2. yes, no, no, yes.
  3. if you want to do a security review for the way you use it, please do so. as you already noticed, borg was written with a different threat model and is usually used in "push mode". using server side snapshotting might add an additional layer of security and might be a bit easier to use than a borg repo rollback when using append-only mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ThomasWaldmann @aerusso