Should no-tweak mode become the default?
Carl E. Thompson
lists-rsync at carlthompson.net
Sat May 10 22:22:43 GMT 2008
-------- Original Message --------
Subject: Re: Should no-tweak mode become the default?
From: Paul Slootman <paul+rsync at wurtel.net>
To: rsync at lists.samba.org
Date: 05/10/2008 12:04 PM
> My two cents...
> A backup system should at the least ensure that the last version is
> correct. If it has to tweak the attributes to do that, it should.
> If another behaviour is required, then that's the responsibility of the
> software used; rsync should not have to be changed to do that, and hence
> the default should not be changed.
The last backup is always correct in either case. The problem is that
all backups including those prior to the last can be rendered unusable
(accidentally or not) with the current behavior of rsync. So it's
possible for a malicious user that gains access to a computer to destroy
_all_ backups of that computer on a remote backup server that uses rsync
(and their are many). Fixing rsync to not tweak attributes by default
fixes that vulnerability without having to change all of those backup
programs to use something else.
> You don't want --link-dest, but IMHO that solves the problem for any
> backup software. Dirvish for example works very well in creating a fresh
> snapshot that's accurate every time without changing older snapshots.
"--link-dest" introduces other security problems itself which I have
already discussed at length. Trading one vulnerability for others is not
a good solution in my opinion which is why I'm not thrilled with
"--link-dest" being the answer.
> Paul Slootman
More information about the rsync