[pbs-devel] [PATCH v2 proxmox-backup 09/31] api: backup: add no-timestamp-check flag to backup endpoint
Christian Ebner
c.ebner at proxmox.com
Wed Aug 7 12:48:22 CEST 2024
On 8/7/24 12:33, Fabian Grünbichler wrote:
> Quoting Christian Ebner (2024-08-01 09:43:41)
>> By setting the optional `no-timestamp-check` flag when calling the
>> `backup` endpoint, the check for a strictly monotonically increase
>> of the snapshots backup timestamp will be skipped.
>> This has to be used when pushing backups to a target, where monotonic
>> increase of the snapshot timestamp with respect to the previous
>> snapshot present in the group cannot be guaranteed.
>
> why is this the case for push based syncing, but not pull based syncing? both
> could have the same semantics, and use "last snapshot on sync target" as
> starting point for syncing..
This patch was initially written when the full skip over previous
snapshot logic for push was not in place (just yet).
So from the top of my head I think you are actually right, and this is
not even needed with the current push implementation, as the push job
should only ever sync snapshots newer than the previous snapshot present.
I will check if this is the case and given your valid concerns about
being able to abuse this, drop this patch altogether.
>
> I am not sure this needs to be part of a minimal implementation of push based
> syncing, we should probably rather tackle this for both kinds of syncs as a
> follow-up (e.g., the "re-sync corrupt and/or missing snapshots" feature).
>
> it's also a bit dangerous, since it allows "stuffing" a backup group
> retro-actively with fake backups, which in turn allows an attacker to abuse
> automatic pruning to prune all real backup snapshots..
>
More information about the pbs-devel
mailing list