Home Explore Help
Sign In
mirrors
/
borg
mirror of https://github.com/borgbackup/borg
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge pull request #6769 from ThomasWaldmann/safe-secure-erase-1.2

secure_erase: avoid collateral damage, fixes #6768
TW 3 years ago
parent
73b97f339b afcebf32f7
commit
bab00fb47b
2 changed files with 18 additions and 8 deletions
Unified View Show Diff Stats
  1. 16 6
      src/borg/helpers/fs.py
  2. 2 2
      src/borg/repository.py

+ 16 - 6
src/borg/helpers/fs.py
View File 

@@ -189,13 +189,23 @@ def scandir_inorder(*, path, fd=None):
 
     return sorted(os.scandir(arg), key=scandir_keyfunc)
 
     return sorted(os.scandir(arg), key=scandir_keyfunc)
 
 
 
 
 
-def secure_erase(path):
 
-    """Attempt to securely erase a file by writing random data over it before deleting it."""
 
+def secure_erase(path, *, avoid_collateral_damage):
 
+    """Attempt to securely erase a file by writing random data over it before deleting it.
 
+
 
+    If avoid_collateral_damage is True, we only secure erase if the total link count is 1,
 
+    otherwise we just do a normal "delete" (unlink) without first overwriting it with random.
 
+    This avoids other hardlinks pointing to same inode as <path> getting damaged, but might be less secure.
 
+    A typical scenario where this is useful are quick "hardlink copies" of bigger directories.
 
+
 
+    If avoid_collateral_damage is False, we always secure erase.
 
+    If there are hardlinks pointing to the same inode as <path>, they will contain random garbage afterwards.
 
+    """
 
     with open(path, 'r+b') as fd:
 
     with open(path, 'r+b') as fd:
 
-        length = os.stat(fd.fileno()).st_size
 
-        fd.write(os.urandom(length))
 
-        fd.flush()
 
-        os.fsync(fd.fileno())
 
+        st = os.stat(fd.fileno())
 
+        if not (st.st_nlink > 1 and avoid_collateral_damage):
 
+            fd.write(os.urandom(st.st_size))
 
+            fd.flush()
 
+            os.fsync(fd.fileno())
 
     os.unlink(path)
 
     os.unlink(path)

+ 2 - 2
src/borg/repository.py
View File 

@@ -302,7 +302,7 @@ class Repository:
 
 
 
         if os.path.isfile(old_config_path):
 
         if os.path.isfile(old_config_path):
 
             logger.warning("Old config file not securely erased on previous config update")
 
             logger.warning("Old config file not securely erased on previous config update")
 
-            secure_erase(old_config_path)
 
+            secure_erase(old_config_path, avoid_collateral_damage=True)
 
 
 
         if os.path.isfile(config_path):
 
         if os.path.isfile(config_path):
 
             link_error_msg = ("Failed to securely erase old repository config file (hardlinks not supported). "
 
             link_error_msg = ("Failed to securely erase old repository config file (hardlinks not supported). "
 
@@ -329,7 +329,7 @@ class Repository:
 
                            "read-only repositories." % (e.strerror, e.filename))
 
                            "read-only repositories." % (e.strerror, e.filename))
 
 
 
         if os.path.isfile(old_config_path):
 
         if os.path.isfile(old_config_path):
 
-            secure_erase(old_config_path)
 
+            secure_erase(old_config_path, avoid_collateral_damage=True)
 
 
 
     def save_key(self, keydata):
 
     def save_key(self, keydata):
 
         assert self.config
 
         assert self.config