[Borgbackup] 1.1.x security issue clarifications
Thomas Waldmann
tw at waldmann-edv.de
Mon Nov 27 08:21:46 EST 2017
On 11/27/2017 09:17 AM, Felix Schwarz wrote:
>
> Am 27.11.2017 um 06:24 schrieb Thomas Waldmann:
>> Released borgbackup 1.1.3 with security and bug fixes.
>
> Also I'd like to understand the impact of the security fix. So it seems a
> malicious borg client with SSH access to the server
As one usually uses ssh keys (or maybe password login for interactive
setups), the authentication done by ssh limits the scope of the
attackers to your *allowed* and *authenticated* users.
This makes this issue a rather low severity one - you could know who is
attacking.
> could read arbitrary borg repos
The security issue was only present in the (new in 1.1) borg serve
option "--restrict-to-repository=...". This is why 1.0.x is not affected.
If you use "--restrict-to-path=..." (which is present since longer),
you're not affected.
This also limits the scope of this vulnerability.
People who still use 1.0.x or who just upgraded to 1.1.x, but did not
change their borg serve restrictions setup (and still use the 1.0
--restrict-to-path mechanism, e.g. in .ssh/authorized_keys) are not
affected.
> (but not arbitrary files, right?).
Correct.
> If these repos are encrypted an
> attacker can get just encrypted blocks, right?
> Is it possible for an attacker to delete or damage another (encrypted)
repo?
Yes, stuff would be encrypted (assuming encryption is used and different
keys are used, as usual).
But guess he could delete other's repos (assuming filesystem permissions
allow it, like for a shared account that only uses borg features for
separation).
Also, low level ops maybe could do damage (stuff that does not ask for
encryption password). Or malicious client code only doing repo ops.
--
GPG ID: 9F88FB52FAF7B393
GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
More information about the Borgbackup
mailing list