backup server side executed python scripts for managing linux and windows system and application data backups, developed by adminsys for adminsys
k3nny
debc753f13
Replace all deprecated and unsafe command execution methods with secure subprocess.run() calls using list arguments. Changes: - Replace os.popen() with subprocess.run() in tisbackup_gui.py - Replace os.system() with subprocess.run() in tasks.py and backup_xva.py - Add input validation for device/partition names (regex-based) - Fix file operations to use context managers (with statement) - Remove wildcard import from shutil - Add timeout protection to all subprocess calls (5-30s) - Improve error handling with proper try/except blocks Security improvements: - Prevent command injection vulnerabilities in USB disk operations - Validate device paths with regex before system calls - Use list arguments instead of shell=True to prevent injection - Add proper error handling instead of silent failures Code quality improvements: - Replace deprecated os.popen() (deprecated since Python 2.6) - Use context managers for file operations - Remove wildcard imports for cleaner namespace - Add comprehensive error handling and logging Documentation: - Add SECURITY_IMPROVEMENTS.md documenting all changes - Document remaining security issues and recommendations - Include testing recommendations and migration notes BREAKING CHANGE: None - all changes are backward compatible 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .gitea/workflows | ||
| .vscode | ||
| deb | ||
| docs | ||
| docs-sphinx-rst | ||
| libtisbackup | ||
| nginx | ||
| rpm | ||
| samples | ||
| scripts | ||
| static | ||
| templates | ||
| .dockerignore | ||
| .gitignore | ||
| .hadolint.yml | ||
| .pre-commit-config.yaml | ||
| backup.sh | ||
| compose.yml | ||
| config.py | ||
| cron.sh | ||
| Dockerfile | ||
| entrypoint.sh | ||
| pyproject.toml | ||
| README.md | ||
| requirements.txt | ||
| SECURITY_IMPROVEMENTS.md | ||
| tasks.py | ||
| tisbackup_gui.py | ||
| tisbackup.py | ||
| uv.lock | ||
TISBackup
This is the repository of the TISBackup project, licensed under GPLv3.
TISBackup is a python script to backup servers.
It runs at regular intervals to retrieve different data types on remote hosts such as database dumps, files, virtual machine images and metadata.
Install using Compose
Clone that repository and build the pod image using the provided Dockerfile
docker build . -t tisbackup:latest
In another folder, create subfolders as following
mkdir -p /var/tisbackup/{backup/log,config,ssh}/
Expected structure
/var/tisbackup/
└─backup/ <-- backup location
└─config/
├── tisbackup-config.ini <-- backups config
└── tisbackup_gui.ini <-- tisbackup config
└─ssh/
├── id_rsa <-- SSH Key
└── id_rsa.pub <-- SSH PubKey
compose.yaml
Adapt the compose.yml file to suits your needs, one pod act as the WebUI front end and the other as the crond scheduler
services:
tisbackup_gui:
container_name: tisbackup_gui
image: "tisbackup:latest"
build: .
volumes:
- ./config/:/etc/tis/
- ./backup/:/backup/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
ports:
- 9980:8080
tisbackup_cron:
container_name: tisbackup_cron
image: "tisbackup:latest"
build: .
volumes:
- ./config/:/etc/tis/
- ./ssh/:/config_ssh/
- ./backup/:/backup/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
restart: always
command: "/bin/bash /opt/tisbackup/cron.sh"
Configuration
- Provide an SSH key and store it in
./ssh - Setup config files in the
./configdirectory
tisbackup-config.ini
[global]
backup_base_dir = /backup/
# backup retention in days
backup_retention_time=90
# for nagios check in hours
maximum_backup_age=30
[srvads-poudlard-samba]
type=rsync+ssh
server_name=srvads.poudlard.lan
remote_dir=/var/lib/samba/
compression=True
;exclude_list="/proc/**","/sys/**","/dev/**"
private_key=/config_ssh/id_rsa
ssh_port = 22
tisbackup_gui.ini
[general]
config_tisbackup= /etc/tis/tisbackup-config.ini
sections=
ADMIN_EMAIL=josebove@internet.fr
base_config_dir= /etc/tis/
backup_base_dir=/backup/
Run!
docker compose up -d
NGINX reverse-proxy
Sample config file
server {
listen 443 ssl http2;
# Remove '#' in the next line to enable IPv6
# listen [::]:443 ssl http2;
server_name tisbackup.poudlard.lan;
ssl_certificate /etc/letsencrypt/live/tisbackup.poudlard.lan/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tisbackup.poudlard.lan/privkey.pem; # managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://localhost:9980/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
About
Tranquil IT is the original author of TISBackup.
The documentation is provided under the license CC-BY-SA and can be found on readthedoc.