Authenticated server user can see all other users' snapshots via web interface

draga79 · November 18, 2020, 10:57am

Hello, first of all thank you for Kopia. I find it an interesting project and quite useful.
I’ve noticed a problem: I’ve created a repository and, then, started a Kopia server to connect to that repository. I have some clients (each with different user/password) as I want to use a single repository for deduplication purposes. If I type “kopia snapshot ls --all” from a single client I can only see its snapshots, and it’s ok. But if I connect via web browser to https://xxxx:51515 and fill in any username and password set in the password file, I can see all the snapshots of all the clients. I find it quite unsafe…

Second, it would be great to have a “one file system” option, like the “x” switch of rsync.

Thank you.

jkowalski · November 19, 2020, 6:23am

Would you mind filing a bug on GitHub on the password issue, we should fix in the next release as we introduce ACL model for user accounts.

As for the “one file system”, it’s already supported via policies which you can attach to directories or globally:

kopia policy set --global --one-file-system true
kopia policy set <path> --one-file-system true

draga79 · November 19, 2020, 7:37am

Thank you for your reply. Github issue filled. I didn’t notice the policy option - that’s great.

Topic		Replies	Views
Server+S3. User see all repos Support	9	567	April 18, 2021
User read access to all snapshots Support	3	278	September 26, 2023
Repo password vs. Kopia server htpasswd Support	5	2078	October 26, 2021
Server mode and multiple repositories General Topics	7	94	September 23, 2024
Trying and failing to use Kopia-ui to do a local backup Support	5	68	October 21, 2024

Authenticated server user can see all other users' snapshots via web interface

Related topics