2018-05-17 18:14:17 +00:00
|
|
|
The [[git-annex-shell]] wrapper allows the configuration of a readonly
|
|
|
|
repository (through the `GIT_ANNEX_READONLY` environment and friends)
|
|
|
|
but that is useful only when we want users to access the data and not
|
|
|
|
add to it.
|
|
|
|
|
|
|
|
It would be nice to have a *write-only* or "append-only" mode. My use
|
|
|
|
case is a backup server that would receive git-annex objects and
|
|
|
|
changes, but would forbid the client from deleting content on the
|
|
|
|
server. This is to protect contents from being destroyed (or encrypted
|
|
|
|
as is a common pattern with ransomware) by a compromised client.
|
|
|
|
|
|
|
|
There has been some discussions and work done to protect *branches* in
|
|
|
|
such a way, in
|
|
|
|
[[todo/git-hook_to_sanity-check_git-annex_branch_pushes]], and that
|
|
|
|
could help, but even with git hooks, a malicious client could still
|
|
|
|
drop content.
|
|
|
|
|
|
|
|
It seems to me this would require modifications to the
|
|
|
|
`git-annex-shell` wrapper to forbid certain operations like `dropkey`,
|
|
|
|
`lockcontent`, or `p2pstdio` although I'm unfamiliar with the last two
|
|
|
|
so I am not certain they could be harmful. Maybe `p2pstdio` itself
|
|
|
|
could be somewhat fixed to allow only append commands.
|
|
|
|
|
|
|
|
Is it fair to assume that `recvkey` is safe in this context, ie. that
|
|
|
|
it wouldn't overwrite an existing bit of content without first doing a
|
|
|
|
checksum?
|
|
|
|
|
|
|
|
Thanks! -- [[anarcat]]
|
2018-05-25 17:17:56 +00:00
|
|
|
|
|
|
|
> Good idea.. Implemented.
|
|
|
|
>
|
|
|
|
> I'm not entirely happy with the name, but could not think of
|
|
|
|
> a better one.
|
|
|
|
>
|
|
|
|
> Yes, `recvkey` will never overwrite content already in the annex,
|
|
|
|
> and unless you turn off annex.verify, hashes will also be checked
|
|
|
|
> before letting anything into the annex.
|
|
|
|
>
|
|
|
|
> Of course, if non-hashed keys are used, and an object has not
|
|
|
|
> reached the repository yet from a trusted source, an attacker
|
|
|
|
> could slip in something malicious without being noticed.
|
|
|
|
> Setting annex.securehashesonly would be a good idea to prevent this.
|
|
|
|
>
|
|
|
|
> p2pstdio implements the same security policies as the rest of
|
|
|
|
> git-annex-shell.
|
|
|
|
>
|
|
|
|
> --[[Joey]]
|