Support

Akeeba Backup for Joomla!

#36277 Akeeba permissions query

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by webxsolution on Wednesday, 08 December 2021 01:33 CST

webxsolution

Hi,

We have a group of lower admins that need access to:

  1. Perform backups,
  2. Restore the site from backups.

We don't want them to:

  1. Access the configuration,
  2. Download backups.

Akeeba's permissions have the following:

  1. Backup - Enabled for our admins.
  2. Configure - If we enable this, then users can use the manage backup page to restore backups. The unwanted side effect is that users can access the configuration page, and thus have access to the Post-processing engine options which effectively give them access to "download" backups by emailing it to themselves or FTP-ing the backup somewhere else.
  3. Download - Denied for our admins.

Is there a way around this, as you effectively can't have Configure enabled and Download disabled without the former contravening the latter? Ideally, a new 4th Restore permission would work nicely here to separate restoration in the manage backup page from the Configure (and therefore Download) permission.

I hope that was clear enough.

Thanks,

Paul

webx.solutions

nicholas
Akeeba Staff
Manager

Giving someone a hypothetical “Restore” permission would be equivalent to making them a Super User. This is probably a non–obvious implication for you. So please allow me to explain.

Restoring a backup requires being able to extract the backup archive and run the restoration script.

The former is really not a major security issue, even though it does raise some security and privacy concerns because the older version of the site may have security or privacy issues. It also raises a practical concern. An end user restoring a backup before Joomla or an extension was updated may end up creating a state with mixed up files from different versions of Joomla / third party extensions which may break the site. Not having full Super User privileges means they cannot fix it.

However, these concerns pale in comparison with running the restoration script. The restoration script shows you the database credentials AND allows you to reset the password of a Super User. This means that anyone restoring a backup automatically gets the Crown Jewels of your site (the database credentials) and can elevate their privileges to Super User. Keep in mind that we are talking about users you do not trust with access to Akeeba Backup's configuration, let alone Super User access. Furthermore, if this user's login credentials are stolen or an attacker otherwise gains access to that person's user account they can now stealthily take over the site just by restoring a backup. 

That's why you need the full Configure permission to restore a backup. We make the reasonable assumption that you are not going to grant that permissions unless you REALLY trust that person. If you don't trust them enough to have access to the backup configuration you most definitely should not trust them to restore a backup (and essentially letting them become Super Users at will).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

webxsolution

Hi Nicholas,

Thanks for taking the time to explain. Having seen how much "extra" access the user gets to the site with access to the restoration process it makes more sense that it is bundled with the entire Configure permissions.

Thanks again,

Paul

webx.solutions

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!