As usual, Holger makes some very good points. I just pushed some additional
changes
<https://github.com/backuppc/backuppc/commit/953a5cb976a76ca3175c984cd84e9bbe070ee241>
so that CgiUserDeleteBackupEnable can be set to a negative value to disable
the backup delete feature for everyone, including admins.
Craig
On Thu, May 3, 2018 at 3:48 PM, Holger Parplies <wb...@parplies.de> wrote:
> Hi,
>
> Steve Palm wrote on 2018-05-03 09:55:38 -0500 [Re: [BackupPC-users]
> BackupPC 4.2.0 released]:
> > I think that would cover it here, as you said, if you give someone Admin
> > rights, then they can alter any other settings. Only a
> > compile-build-install-time option to totally remove it would eliminate
> this
> > possibility.
>
> well, not really. If you can change the host settings, you can probably
> change
> backup expiry to keep only one or two backups, change the data set to only
> include /tmp, for example, and then manually force one or two backups. It's
> not as fast and easy as a "maliciously delete all backups" button, but if
> we're talking about security, it doesn't have to be easy, just possible.
> With root access to the BackupPC server, it's just a matter of 'rm -r',
> really. If you give someone 'Admin' capabilities (for whatever definition
> may be applicable), he can administratively break things. There is really
> no way to tell a computer to let someone only do constructive things.
> 'gzip /etc/passwd' is a good thing, right? ;-)
>
> For the 'home use' type scenario (as in "backup *PC*"), where people "own"
> machines they backup and restore as they like, there may be some merit in
> allowing them to delete backups on their own.
>
> For the 'office' type scenario (as in "*Backup* pc"), I would expect an IT
> department (or some member(s) of it) to be responsible for backups, and
> *nobody* else to have any access to them. The access control mechanism in
> BackupPC is just not fine-grained enough - if you can see any data within a
> backup, you can see all of it. In this scenario, you probably won't ever
> manually delete backups, and if you do, you'll do it through shell access
> to the BackupPC server from the command line. So you'll have a gratuitious
> "shoot myself in the foot" button in the web interface, nothing more.
>
> There will always be people who use BackupPC somewhere in between those
> scenarios, so yes, why not give them the option of deleting backups through
> the web interface?
>
> > It is a great feature to have, especially with some restrictions on
> > availability. Thanks!
> >
> > > On Apr 21, 2018, at 7:43 PM, Craig Barratt via BackupPC-users <
> backuppc-users@lists.sourceforge.net> wrote:
> > >
> > > I just pushed some changes [...] that add a new config variable
> > > CgiUserDeleteBackupEnable (default off) which sets whether users can
> > > delete backups via the CGI interface.
>
> I agree that this makes sense (both the option and the default).
>
> > > Admins always have the delete feature enabled.
>
> Absurdly, I'd suggest to always *dis*able the feature for admins. Well, no,
> that doesn't make much sense, either. But it's so easy - even for admins -
> to press the wrong button (just imagine an unresponsive browser or X
> server)
> and then answer the confirmation dialog the wrong way. If a site has the
> policy (or maybe even legal requirement) "we *never* manually delete
> backups",
> they should be able to prevent this from happening accidentally (or
> maliciously, if you prefer).
>
> In fact, it's possible to disable direct restores, which can do great harm,
> so I'd argue it should be possible to disable backup deletion, too.
>
> Disclaimer: no, I haven't looked at the new version or its web interface,
> so
> reality might be less problematic than the theory sounds. But even if it's
> hard to shoot yourself in the foot, someone will manage ;-).
>
> > > On Fri, Apr 20, 2018 at 11:05 AM, Craig Barratt <
> cbarr...@users.sourceforge.net <mailto:cbarr...@users.sourceforge.net>>
> wrote:
> > > [...]
> > > How about I add a configuration setting that has three values -
> completely
> > > off, admin only, or any user? The default setting could be admin only.
>
> I would prefer that implementation. Personally, I'd make the default
> setting
> "completely off", though I trust people really *wanting* that setting could
> easily enough change it, if the default were different. In a way, the
> default
> setting seems to be a recommendation. Is manually deleting backups that are
> no longer needed something the average BackupPC admin should do, or was it
> added for the sake of being able to easily fix commonly made mistakes
> without
> creating more problems along the way?
>
> Regards,
> Holger
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users@lists.sourceforge.net
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
