[Box Backup] Danger of files being erased

Ben Summers boxbackup@fluffy.co.uk
Sun, 1 Feb 2004 22:10:18 +0000 

On 1 Feb 2004, at 18:16, Pascal Lalonde wrote:

>
> I've been thinking...
>
> What happens if a box running the BoxBackup client gets broken into?
> What if that person has bad intentions, or worse, is filled with 
> intentions
> of the purest evil, decides to use the BoxBackup client to log in the
> server and destroy your backup?
>
> Is it possible to somehow delete all backupped files using the client?

No.

> If so, it is quite frightening. I'm not saying that I'm expecting my
> servers to be compromised, but you can never be 100% safe. Maybe there
> should be an additionnal protection when it comes to deleting files. 
> For
> example, the server could refuse deleting any files unless the client
> supplies a specific passphrase.

The client cannot actually delete any files from the server, it can 
merely mark them as deleted. In the worst case scenario, the malicious 
attacker marks all you files deleted. But since you're not over the 
storage limit on the server, the server will not actually delete any of 
them. If it does, it will only delete a few of the oldest versions.

The restore utility has an option to recursively restore deleted 
directories and files. You might get files *you* deleted restored in 
error, but you won't have lost anything.


>  And also is it possible to lock the
> backup key, like putting a passphrase on it? Of course the passphrase
> has to be entered before using the key, which means when bbackupd or
> bbackupquery is started.

There's not much point in doing this. It would add little to the 
security of the system, and provide a false sense of security. Seeing 
as the key and the data on the computer you've just broken into are 
effectively equivalent, there is no reason to protect the key. An 
attacker would just read the decrypted data.

Of course, there is the problem that if they broke in to your computer 
and stole the keys, they could then use the backup server to get copies 
of your files whenever they wanted. But this could be solved by 
changing the certificate -- and you would notice the break-in, wouldn't 
you?

Security is about reacting, as well as preventing.

>
> And I was also thinking about some maintenance functions. After a 
> while,
> the server may be filled with a lot of old data. Maybe there should be 
> a
> utility which removes all data that is X days or older, unless there is
> only one version of the file, of course. This is yet another 
> suggestion,
> which I don't have a need for right now, but it could be handy someday.
> Consider a big user base which works with big data files that are 
> updated
> often, maybe within a few months the data on the server would grow too 
> big.

This is already implemented. There are two bbstored processes, one 
accepts connections from clients, the second is a housekeeping process 
which does exactly what you describe. It's aim is to keep the size of 
the store just below the soft limit by removing old files. There's an 
order of priority of deletion which aims to ensure that you delete the 
least useful data first.

>
> Aside from that, I haven't played a lot with BoxBackup yet. But here 
> are
> the good points I noticed:
>
> - The server hasn't crashed. It runs on OpenBSD 3.3. It doesn't seem to
>   be leaking, having run for a few days. (Although the data backed up 
> it
>   pretty small, it may not be significant). From ps aux:
>   _bbstored  2040  0.0  0.5  1340  1328 ??  S     Wed06PM    0:00.74
>   bbstored: server (bbstored)
>   _bbstored 28541  0.0  1.0  2980  2624 ??  S     Wed06PM    0:13.02
>   bbstored: housekeeping, idle (bbstored)

Looks about right. The housekeeping process shouldn't increase in size 
much.

>
> - Same for the client. It hasn't crashed:
>   root     14512  0.0  0.8  1016  2164 ??  I     Thu01AM    0:10.28
>   bbackupd: idle (bbackupd)

Good -- it should stay at about that level of memory usage.

>
> - It was a little tricky to install, but I suspect the next version 
> will
>   fix a lot of that. Once it is installed though, you can forget about
>   it and it just runs, silently.

Yes, I'm learning a lot about installation from the discussions on this 
list!

>
> - I like the way files are restored, although a little search command
>   could be useful someday.

I agree, and am planning to do something far more useful than the 
primitive bbackupquery -- which is really intended for sysadmin use 
only. I will be writing "brestored" which will accept connections from 
users, and allow them to get old versions, restore (only) their files, 
that sort of thing.

>
> - I'm really considering running it on every machine I own. I'm just
>   waiting to get more disk space.

Thanks!

>
> - Especially useful with a laptop!

You can leave it running on the laptop, regardless of whether it's 
connected or not. If it fails to connect, it'll try again every 100 
seconds until it succeeds.

>
> I don't backup a lot of data yet, so I can't really say more than that
> for now, and maybe with more data other problems will arise.

If you could verify the backup occasionally, that would be very useful.

>
> Oh, and I noticed a typo in bbackupquery:
> Unrecognised command -> Unrecognized command
> 'z', not 's'.

Er, that's not a spelling mistake. My locale is en-UK. :-)

Thanks for using it and reporting back! Feedback from users is 
essential for completing this project successfully.

Ben