From cae3021785d81e89b96bbfb083ca2f51ffefe0f3 Mon Sep 17 00:00:00 2001
From: Alexander Batischev <eual.jp@gmail.com>
Date: Sun, 25 Apr 2021 16:51:08 +0300
Subject: Add CACHEDIR.TAG to the threat model

---
 obnam.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/obnam.md b/obnam.md
index e788d96..c0f845d 100644
--- a/obnam.md
+++ b/obnam.md
@@ -129,6 +129,24 @@ addressed later.
 The mitigation technique against this threat is to encrypt the live
 data and its metadata before uploading it to the server.
 
+## An attacker with access to live data can stealthily exclude files from the backup
+
+This threat arises from Obnam's support for [CACHEDIR.TAG][] files. As the spec
+itself says in the "Security Considerations" section:
+
+> "Blind" use of cache directory tags in automatic system backups could
+> potentially increase the damage that intruders or malware could cause to
+> a system. A user or system administrator might be substantially less likely to
+> notice the malicious insertion of a CACHDIR.TAG into an important directory
+> than the outright deletion of that directory, for example, causing the
+> contents of that directory to be omitted from regular backups.
+
+For now, the only mitigation is a setting called
+`exclude_cache_tag_directories`, which users can disable if they want to avoid
+this threat.
+
+[CACHEDIR.TAG]: https://bford.info/cachedir/
+
 # Software architecture
 
 ## Effects of requirements
-- 
cgit v1.2.1