Authenticated server user can see all other users' snapshots via web interface

draga79 · November 18, 2020, 10:57am

Hello, first of all thank you for Kopia. I find it an interesting project and quite useful.
I’ve noticed a problem: I’ve created a repository and, then, started a Kopia server to connect to that repository. I have some clients (each with different user/password) as I want to use a single repository for deduplication purposes. If I type “kopia snapshot ls --all” from a single client I can only see its snapshots, and it’s ok. But if I connect via web browser to https://xxxx:51515 and fill in any username and password set in the password file, I can see all the snapshots of all the clients. I find it quite unsafe…

Second, it would be great to have a “one file system” option, like the “x” switch of rsync.

Thank you.

jkowalski · November 19, 2020, 6:23am

Would you mind filing a bug on GitHub on the password issue, we should fix in the next release as we introduce ACL model for user accounts.

As for the “one file system”, it’s already supported via policies which you can attach to directories or globally:

kopia policy set --global --one-file-system true
kopia policy set <path> --one-file-system true

draga79 · November 19, 2020, 7:37am

Thank you for your reply. Github issue filled. I didn’t notice the policy option - that’s great.

Topic		Replies	Views
Server+S3. User see all repos Support	9	527	April 18, 2021
Repository Server, multiple users and dedup Support	1	704	September 20, 2021
Multiple server docker instances, uniqueness of snapshots Support	4	218	April 29, 2023
One repo, two SFTP accounts, repo is locked to a given client at a time Support	5	474	May 21, 2022
Restore from lan repository from another kopia install Support	2	355	September 7, 2023

Authenticated server user can see all other users' snapshots via web interface

Related Topics