I reviewed restic 0.18.1-3 as checked into Resolute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
restic is a fast CLI based backup utility that focuses on making backup and
restore a very easy process.
- CVE History
- No CVE history. Maintainers are also very active in keeping the
dependencies up to date.
- Build-Depends
- debhelper-compat (= 13), dh-golang, dh-sequence-sphinxdoc, golang-any,
golang-github-anacrolix-fuse-dev, golang-github-backblaze-blazer-dev,
golang-github-cenkalti-backoff-v4-dev, golang-github-cespare-xxhash-dev,
golang-github-elithrar-simple-scrypt-dev, golang-github-google-go-cmp-dev,
golang-github-hashicorp-golang-lru-v2-dev, golang-github-juju-ratelimit-dev
, golang-github-klauspost-compress-dev,golang-github-mattn-go-isatty-dev,
golang-github-minio-minio-go-v7-dev, Cgolang-github-minio-minio-go-v7-dev,
golang-github-peterbourgon-unixtransport-dev, golang-github-pkg-errors-dev,
golang-github-pkg-sftp-dev (>= 1.13.2), golang-github-pkg-xattr-dev,
golang-github-restic-chunker-dev (>= 0.2.0), golang-github-spf13-cobra-dev
(>= 1.2.1), golang-github-spf13-pflag-dev, golang-golang-x-crypto-dev,
golang-golang-x-net-dev, golang-golang-x-oauth2-dev,
golang-golang-x-sys-dev, golang-google-cloud-dev, golang-google-api-dev,
golang-gopkg-tomb.v2-dev, Cgolang-gopkg-tomb.v2-dev, sphinx-common,
sphinx-rtd-theme-common, python3, python-is-python3, python3-sphinx,
python3-sphinx-rtd-theme
- pre/post inst/rm scripts
- Not present
- init scripts
- Not present
- systemd units
- Not present
- dbus services
- Not present
- setuid binaries
- Not present
- binaries in PATH
- /usr/bin/restic
- sudo fragments
- Not present
- polkit files
- Not present
- udev rules
- Not present
- unit tests / autopkgtests
- Has an extensive suite of unit and integration tests which are run during
the build time
- There are 1331 tests that pass successfully.
- Basic autopkgtests present.
- cron jobs
- None
- Build logs
- Normal build logs
- Processes spawned
- A few processes are spawned based on the configured backend. For example,
ssh for sftp backend and rclone(not installed by default)
- Default implementation of passwd to read password from the command line
which can also be changed using environment variables
- Command construction before spawning the process looks fine. Environment
variables related to restic are stripped out so that information is not
leaked to child processes.
- Memory management
- Done by Go
- File IO
- Being a file backup utility, it does a lot of file read/write which is
pretty expected.
- Files are usually created with 0600 or 0700. During restore operation,
all extended attributes for the files are restored by default.
- Symlinks are stored as symlinks and not followed while creating the backup.
- Logging
- CLI logs to stdout, supports verbose as well as file/function based debug
logging which can be enabled via environment variables
- Environment variable usage
- Most of the environment variables are related to the storage backend and
are passed directly to the relevant libraries.
- For automated backups, supports reading password from environment variables
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- All the data in the respository is encrypted with AES256-CTR and
authenticated with Poly1305-AES.
- Random bytes are being generated properly using crypto/rand.
- scrypt is used as KDF to derive cryptographic keys along with user password
and other crypto params.
- Overall, the project seems to be following general best practices.
- Use of temp files
- Some of the features like backup and prune make use of the tmp filesystem.
Such files and directories have restic in their name and can be easily
identified.
- Use of networking
- Outgoing network calls from the client go to the storage backends like S3,
azure, sftp, rest server etc. restic does not listen on any port.
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- Coverity reported a total of 1513 entries, most of them were for the
included libraries. There was no severity information and everything was
marked as unclassified.
- Many detections were related to file locks, with a potential to cause race
conditions or deadlocks are mostly false positives.
- A few other detected issues regarding insecure file permissions are also
false positives.
- One use of risky crypto (md5) is for calculating content hash which should
not be a problem.
- Cert validation disabled detection is a false positive as it is controlled
by a user flag.
- There are a lot of detections for suppressed error messages, which are
harmless.
- Any significant shellcheck results
- None
- Any significant bandit results
- None
- Any significant govulncheck results
- None
- Any significant Semgrep results
- Found the use of 'math/rand' to generate random data, which is a false
positive since it is only used to generate a temporary value unrelated
to any cryptographic operation.
Security team ACK for promoting restic to main. The project is active, well
maintained, has good documentation along with proper test suites and was
designed keeping functionality, performance and security in mind.
** Changed in: restic (Ubuntu)
Status: New => In Progress
** Changed in: restic (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2134530
Title:
MIR for Restic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/restic/+bug/2134530/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
