diff options
author | Lars Wirzenius <liw@liw.fi> | 2021-04-26 10:58:34 +0000 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2021-04-26 10:58:34 +0000 |
commit | 80aaff3f70f790141fbc8caa8a2f4830cd5e3fee (patch) | |
tree | 6faf93719ae82b5c8e935857f4c49bd8a6ee9157 | |
parent | 25f968b2f119489efdcc83b2c544680fb09bf458 (diff) | |
parent | cae3021785d81e89b96bbfb083ca2f51ffefe0f3 (diff) | |
download | obnam2-80aaff3f70f790141fbc8caa8a2f4830cd5e3fee.tar.gz |
Merge branch 'feature/mention-cachedir-threat' into 'main'
Add CACHEDIR.TAG to the threat model
See merge request larswirzenius/obnam!141
-rw-r--r-- | obnam.md | 18 |
1 files changed, 18 insertions, 0 deletions
@@ -129,6 +129,24 @@ addressed later. The mitigation technique against this threat is to encrypt the live data and its metadata before uploading it to the server. +## An attacker with access to live data can stealthily exclude files from the backup + +This threat arises from Obnam's support for [CACHEDIR.TAG][] files. As the spec +itself says in the "Security Considerations" section: + +> "Blind" use of cache directory tags in automatic system backups could +> potentially increase the damage that intruders or malware could cause to +> a system. A user or system administrator might be substantially less likely to +> notice the malicious insertion of a CACHDIR.TAG into an important directory +> than the outright deletion of that directory, for example, causing the +> contents of that directory to be omitted from regular backups. + +For now, the only mitigation is a setting called +`exclude_cache_tag_directories`, which users can disable if they want to avoid +this threat. + +[CACHEDIR.TAG]: https://bford.info/cachedir/ + # Software architecture ## Effects of requirements |