On Feb 5, 2009, at 8:13 AM, Dominic wrote:
The ones I think most interesting are first whether new repositories can be created (logically yes, but does it work?), and second -- check-destination-dir (and automatic fixing of a previous failed backup). Logically --check-destination-dir should work because the action that rdiff-backup takes in this case is not a security risk (it is only undoing a backup that has failed, and a malicious user cannot use it to remove valid backups), but as it involves deleting data on the server --restrict-update-only might prevent it. I guess the best way to find out for sure is to create a failed backup and try it...
Automatically repairing a failed backup will fail if you have -- restrict-update-only for exactly the reason Dominic describes. I have thought this one through yet, but perhaps over the course of multiple backup sessions, a malicious user could construct a source to fail in a bad way when the repository tries to repair itself.
An administrator paranoid and involved enough to be using --restrict- update-only is assumed to be vigilant enough to pay attention when rdiff-backup has failed (since it will error and backtrace) and manually intervene to repair the repository.
Regarding first creating new repositories, yes, I think that too will be blocked. There was some discussion a few years ago about this: http://savannah.nongnu.org/bugs/?16897 ... I don't remember what was resolved. I suppose we could add os.mkdir() to the safe list.
Andrew _______________________________________________ rdiff-backup-users mailing list at [email protected] http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
