using a (older) backup of a respository results in inappropriate "attack or unsafe" warning

[jumper444]

Have you checked borgbackup docs, FAQ, and open Github issues?

Yes

Is this a BUG / ISSUE report or a QUESTION?

Issue/Suggestion

System information. For client/server mode post info for both machines.

n/a

Your borg version (borg -V).

1.1.13

Operating system (distribution) and version.

n/a

Hardware / network configuration, and filesystems used.

n/a

How much data is handled by borg?

n/a

Full borg commandline that lead to the problem (leave away excludes and passwords)

using a backup (older) repository normally "borg create .....", etc.

Describe the problem you're observing.

I have a borg repository that I experimented with and didn't like my changes. So I got a backup copy of the repository from a few weeks prior and resumed using it normally. Upon attempted use (conducting a regular file backup "borg create") a message/error came back:

"Cache, or information obtained from the security directory is newer than repository - this is either an attack or unsafe (multiple repos with same ID)"

I searched docs, issues, net, etc and tried to figure out the issue and/or fix. (I knew of course it was because I had restored a repository, but I couldn't figure out how to fix it or tell borg things were OK and to proceed.) I deleted cache. Did "borg check", etc. Ultimately (after frustration) I figured out that i needed to manually dig into a hidden directory and delete some files associated with the (newer/deleted/scrapped) repository before borg would then run correctly (with my restored backup). (I think it was deleting cache/security, but dont' remember exactly at this point.)

COMMENTS AND SUGGESTIONS:

1. Restoring a backup of a repository (after corrupting or losing or testing the orginal) is not an unusual thing to do. Throwing this error that doesn't mention that situation is not user friendly, generates fear, and is unhelpful.

2. I suggest the message be changed, such as to: "Cache, or information obtained from the security directory is newer than repository - this is either an attack or unsafe (multiple repos with same ID) UNLESS YOU ARE USING AN OLD/BACKUP VERSION OF A REPOSITORY THAT HAS BEEN RESTORED. IF THAT IS THE CASE THEN YOU NEED TO REMOVE/RESET SECURITY PARAMETERS USING "borg delete --securitycache-only"

3. Since use of backup files in computer world is not abnormal, not only should the error message mention it, but there should also be a command that resets or fixes that security information (instead of manual file search and destroy). There is already a flag to delete a repository cache. I therefore suggest addding a new flag to the "borg delete" command which will purge/reset/remove/fix the necessary security information (I dont know the specific files...whatever needs to be done so a person can use an older backup.) I have above suggested "delete --securitycache-only", but a better idea is likely.

4. Documentation should mention this flag in the "delete" section, of course, but I also suggest a general section in the "additional notes" or other appropriate doc area that covers the use of an older backup resulting in a "you might be attacked or unsafe" improperly alarming somebody. I was unable to find an such discussion and I simply wanted Borg to use the repository and I knew everything was ok. I couldn't determine how. If the warning/error message is rewritten as in # 2 above then it will automatically point the user to "delete --securitycache-only" whereby the documention there will say something like "If you are using an old version of a respository and KNOW that you do not have a hack or security situation, then you can reset the security parameters with this flag....", etc. A separate "additional notes" section might not be needed in that case.

I believe these steps would make a repository restore situation clearer as to what is happening and how to address Borg suspecting a hack (and how to fix the situation.)

Can you reproduce the problem? If so, describe how. If not, describe troubleshooting steps you took before opening the issue.

n/a

Include any warning/errors/backtraces from the system logs

n/a

[ThomasWaldmann]

Borg's error message is correct for the general case and borg's threat model (repository may be a unsafe place and an attacker may watch or even control your repo).

The modified error message you propose might be acceptable/helpful for more secure repos, but it is incorrect / dangerous for the general case (see above).

See docs and other issues with existing discussion of AES counter mode issues with borg.

[jumper444]

My point was that I simply went to a backup of a Borg repository and things broke with:

1. an error message that didn't make sense;

2. without any notes in the instructions on "here is what you do if you restore an older borg repository"; (I did a lot of searching and trial and error to get borg to resume using the restored repository.)

Restoring files on computer systems is fairly common - esp when backup processes are happening. I'm only arguing that this eventuality could be mentioned or handled either in the error message as i proposed, or a note in the documentation (that perhaps the error message refers to).

The restoration of an old repository resulting in 'you have been hacked' fault does NOT lend itself to a normal user concluding the need to seach documentation for "AES counter mode" issues. How on earth would I have come to that realization??

I'm just suggesting a breadcrumb somewhere that says "you may have been hacked UNLESS you have just restored a borg repository. If so see issue/doc # 12345 "

[ThomasWaldmann]

It says "attack or unsafe".

I agree with better explaining the "unsafe" part by telling that might have been done by restoring an older copy of the repository or by using multiple repositories with the same ID.

So feel free to make a PR for that.