mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
git-annex/doc/todo/append-only_mode.mdwn
Joey Hess 1c86ba8ee8
close, these seem done already
2018-09-06 13:15:21 -04:00

49 lines
2 KiB
Markdown
Raw Blame History

The [[git-annex-shell]] wrapper allows the configuration of a readonly
repository (through the `GIT_ANNEX_READONLY` environment and friends)
but that is useful only when we want users to access the data and not
add to it.
It would be nice to have a *write-only* or "append-only" mode. My use
case is a backup server that would receive git-annex objects and
changes, but would forbid the client from deleting content on the
server. This is to protect contents from being destroyed (or encrypted
as is a common pattern with ransomware) by a compromised client.
There has been some discussions and work done to protect *branches* in
such a way, in
[[todo/git-hook_to_sanity-check_git-annex_branch_pushes]], and that
could help, but even with git hooks, a malicious client could still
drop content.
It seems to me this would require modifications to the
`git-annex-shell` wrapper to forbid certain operations like `dropkey`,
`lockcontent`, or `p2pstdio` although I'm unfamiliar with the last two
so I am not certain they could be harmful. Maybe `p2pstdio` itself
could be somewhat fixed to allow only append commands.
Is it fair to assume that `recvkey` is safe in this context, ie. that
it wouldn't overwrite an existing bit of content without first doing a
checksum?
Thanks! -- [[anarcat]]
> Good idea.. Implemented.
>
> I'm not entirely happy with the name, but could not think of
> a better one.
>
> Yes, `recvkey` will never overwrite content already in the annex,
> and unless you turn off annex.verify, hashes will also be checked
> before letting anything into the annex.
>
> Of course, if non-hashed keys are used, and an object has not
> reached the repository yet from a trusted source, an attacker
> could slip in something malicious without being noticed.
> Setting annex.securehashesonly would be a good idea to prevent this.
>
> p2pstdio implements the same security policies as the rest of
> git-annex-shell.
>
> --[[Joey]]
> Update: I didn't close this before, but it seems [[done]] --[[Joey]]
Reference in a new issue View git blame Copy permalink