diff options
author | Marian Beermann <public@enkore.de> | 2017-03-13 10:16:08 +0100 |
---|---|---|
committer | enkore <public@enkore.de> | 2017-03-13 16:29:32 +0100 |
commit | d1738ec31507f55a710b106d09b66761b3a977ba (patch) | |
tree | 5385f1ef51453044be514903a131ccdb481a0e49 | |
parent | 86867e51711c2cf099b5d6b50eb29fb6f2c6b8b2 (diff) |
docs/security: reiterate that RPC in Borg does no networking1.1.0.dev0
-rw-r--r-- | docs/internals/security.rst | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/docs/internals/security.rst b/docs/internals/security.rst index 617bf90b3..978338b7b 100644 --- a/docs/internals/security.rst +++ b/docs/internals/security.rst @@ -285,9 +285,21 @@ over an encrypted SSH channel (the system's SSH client is used for this by piping data from/to it). This means that the authorization and transport security properties -are inherited from SSH and the configuration of the SSH client -and the SSH server. Therefore the remainder of this section -will focus on the security of the RPC protocol within Borg. +are inherited from SSH and the configuration of the SSH client and the +SSH server -- Borg RPC does not contain *any* networking +code. Networking is done by the SSH client running in a separate +process, Borg only communicates over the standard pipes (stdout, +stderr and stdin) with this process. This also means that Borg doesn't +have to directly use a SSH client (or SSH at all). For example, +``sudo`` or ``qrexec`` could be used as an intermediary. + +By using the system's SSH client and not implementing a +(cryptographic) network protocol Borg sidesteps many security issues +that would normally impact distributing statically linked / standalone +binaries. + +The remainder of this section will focus on the security of the RPC +protocol within Borg. The assumed worst-case a server can inflict to a client is a denial of repository service. |