Forget available only for admin

Ask about a possible idea. Maybe alternative to this matter.
I found restic usefull to manage many backup from server of many customers.
I can write a script and cron the script on every server I want to backup.
These servers is used by other administrators for other software o other persons of customer.
These servers is on site of customers.
I want to be sure the restic repository will never use “forget” or any other command to delete something from repository.
Thinking about this idea: a password for use of command “backup” but another different password for the administration of the repository that can init, delete, forget any repository.
Thinking about repository with access to “read”, “add”, but not “delete”.
Thanks for comment.

Hi there, welcome :wave:

This can be handled on the storage side. You can use:

  • rest-server with append-only mode
  • S3 (or some s3-compatible storage like minio) and utilize its IAM roles to allow certain tokens to not delete data (except from locks/ folder, which is generally needed).

I do latter and if any client wants to run forget, it gets:

$ restic forget 22baf265
repository 81d34315 opened successfully, password is correct
Remove(<snapshot/22baf26580>) returned error, retrying after 582.280027ms: client.RemoveObject: Access Denied.
Remove(<snapshot/22baf26580>) returned error, retrying after 703.28564ms: client.RemoveObject: Access Denied.

Beware that this doesn’t prevent someone from overwriting an existing S3 object with an empty file. No IAM role can prevent that without also disallowing new uploads, but S3 versioning can help. (Restoring from such an attack can be complex, however. Rest-server in front of S3 is a better solution.)

1 Like

Ooh, that is a good catch. Thankfully my environment is at least that trustable, but I’ll think about this, thanks :+1:

Interesting the rest-server I will evaluate it.
Now I am using B2 with BackBlaze that have an internal versioning method of every file uploaded.
So B2 can be used as versioning, keeping secure from forget or delete the files.
But with B2 when need the old files need extra work: choose and wait the old files, then recreate in a storage available for restic, then we can download.
But used for bakup that will need few times this can be acceptable.