The git-annex-shell wrapper allows the configuration of a readonly repository (through the GIT_ANNEX_READONLY environment and friends) but that is useful only when we want users to access the data and not add to it.

It would be nice to have a write-only or "append-only" mode. My use case is a backup server that would receive git-annex objects and changes, but would forbid the client from deleting content on the server. This is to protect contents from being destroyed (or encrypted as is a common pattern with ransomware) by a compromised client.

There has been some discussions and work done to protect branches in such a way, in git-hook to sanity-check git-annex branch pushes, and that could help, but even with git hooks, a malicious client could still drop content.

It seems to me this would require modifications to the git-annex-shell wrapper to forbid certain operations like dropkey, lockcontent, or p2pstdio although I'm unfamiliar with the last two so I am not certain they could be harmful. Maybe p2pstdio itself could be somewhat fixed to allow only append commands.

Is it fair to assume that recvkey is safe in this context, ie. that it wouldn't overwrite an existing bit of content without first doing a checksum?

Thanks! -- anarcat

Good idea.. Implemented.

I'm not entirely happy with the name, but could not think of a better one.

Yes, recvkey will never overwrite content already in the annex, and unless you turn off annex.verify, hashes will also be checked before letting anything into the annex.

Of course, if non-hashed keys are used, and an object has not reached the repository yet from a trusted source, an attacker could slip in something malicious without being noticed. Setting annex.securehashesonly would be a good idea to prevent this.

p2pstdio implements the same security policies as the rest of git-annex-shell.


Update: I didn't close this before, but it seems done --Joey