[Box Backup] Danger of files being erased
boxbackup at fluffy.co.uk
Sun Feb 1 22:10:18 GMT 2004
On 1 Feb 2004, at 18:16, Pascal Lalonde wrote:
> I've been thinking...
> What happens if a box running the BoxBackup client gets broken into?
> What if that person has bad intentions, or worse, is filled with
> of the purest evil, decides to use the BoxBackup client to log in the
> server and destroy your backup?
> Is it possible to somehow delete all backupped files using the client?
> If so, it is quite frightening. I'm not saying that I'm expecting my
> servers to be compromised, but you can never be 100% safe. Maybe there
> should be an additionnal protection when it comes to deleting files.
> example, the server could refuse deleting any files unless the client
> supplies a specific passphrase.
The client cannot actually delete any files from the server, it can
merely mark them as deleted. In the worst case scenario, the malicious
attacker marks all you files deleted. But since you're not over the
storage limit on the server, the server will not actually delete any of
them. If it does, it will only delete a few of the oldest versions.
The restore utility has an option to recursively restore deleted
directories and files. You might get files *you* deleted restored in
error, but you won't have lost anything.
> And also is it possible to lock the
> backup key, like putting a passphrase on it? Of course the passphrase
> has to be entered before using the key, which means when bbackupd or
> bbackupquery is started.
There's not much point in doing this. It would add little to the
security of the system, and provide a false sense of security. Seeing
as the key and the data on the computer you've just broken into are
effectively equivalent, there is no reason to protect the key. An
attacker would just read the decrypted data.
Of course, there is the problem that if they broke in to your computer
and stole the keys, they could then use the backup server to get copies
of your files whenever they wanted. But this could be solved by
changing the certificate -- and you would notice the break-in, wouldn't
Security is about reacting, as well as preventing.
> And I was also thinking about some maintenance functions. After a
> the server may be filled with a lot of old data. Maybe there should be
> utility which removes all data that is X days or older, unless there is
> only one version of the file, of course. This is yet another
> which I don't have a need for right now, but it could be handy someday.
> Consider a big user base which works with big data files that are
> often, maybe within a few months the data on the server would grow too
This is already implemented. There are two bbstored processes, one
accepts connections from clients, the second is a housekeeping process
which does exactly what you describe. It's aim is to keep the size of
the store just below the soft limit by removing old files. There's an
order of priority of deletion which aims to ensure that you delete the
least useful data first.
> Aside from that, I haven't played a lot with BoxBackup yet. But here
> the good points I noticed:
> - The server hasn't crashed. It runs on OpenBSD 3.3. It doesn't seem to
> be leaking, having run for a few days. (Although the data backed up
> pretty small, it may not be significant). From ps aux:
> _bbstored 2040 0.0 0.5 1340 1328 ?? S Wed06PM 0:00.74
> bbstored: server (bbstored)
> _bbstored 28541 0.0 1.0 2980 2624 ?? S Wed06PM 0:13.02
> bbstored: housekeeping, idle (bbstored)
Looks about right. The housekeeping process shouldn't increase in size
> - Same for the client. It hasn't crashed:
> root 14512 0.0 0.8 1016 2164 ?? I Thu01AM 0:10.28
> bbackupd: idle (bbackupd)
Good -- it should stay at about that level of memory usage.
> - It was a little tricky to install, but I suspect the next version
> fix a lot of that. Once it is installed though, you can forget about
> it and it just runs, silently.
Yes, I'm learning a lot about installation from the discussions on this
> - I like the way files are restored, although a little search command
> could be useful someday.
I agree, and am planning to do something far more useful than the
primitive bbackupquery -- which is really intended for sysadmin use
only. I will be writing "brestored" which will accept connections from
users, and allow them to get old versions, restore (only) their files,
that sort of thing.
> - I'm really considering running it on every machine I own. I'm just
> waiting to get more disk space.
> - Especially useful with a laptop!
You can leave it running on the laptop, regardless of whether it's
connected or not. If it fails to connect, it'll try again every 100
seconds until it succeeds.
> I don't backup a lot of data yet, so I can't really say more than that
> for now, and maybe with more data other problems will arise.
If you could verify the backup occasionally, that would be very useful.
> Oh, and I noticed a typo in bbackupquery:
> Unrecognised command -> Unrecognized command
> 'z', not 's'.
Er, that's not a spelling mistake. My locale is en-UK. :-)
Thanks for using it and reporting back! Feedback from users is
essential for completing this project successfully.
More information about the Boxbackup