Anyone using the Mage_Backup module?

[elidrissidev]

Just noticed today that the Mage_Backup module is disabled by default and I'm wondering if anyone actually finds it useful or is it a dead module that can potentially be removed in the future like Compiler and others?

[justinbeaty]

Looks like it was disabled by a security patch. I've never used it and would vote to remove it.

[addison74]

Its removal has been discussed but it is deeply embedded in the Magento source code. In addition there are extensions that still use it. I personally automatically dump remotely to the entire database.

[justinbeaty]

For context, here are two discussions: #926 #1368

Still, if someone is motivated and makes a PR to remove all traces of Mage_Backup, I'd definitely support it.

[elidrissidev]

Yeah it's a bit confusing, I was wondering myself why the link wasn't showing under Tools when I enabled it. I'd vote for it to be removed in v20 if it's possible.

[luigifab]

I removed it for my dev environment. But like ADDISON74 says, I remember that there are some references to it in core, but I didn't searched more. I vote for his removal.

[fballiano]

I've created #2259 to remove it.

[addison74]

In terms of functionality I see that there are no issues. The module continues to do what it needs to do. I activated it by editing the /etc/modules/Mage_All.xml file, as well as in Blackend> Advanced> "Disable Modules Output" section.

For a user who does not have access to the Terminal and does not know how to make dumps and rollbacks of the database is still useful. Its elimination must be analyzed in detail both in terms of its integration into the code and the elimination of its facilities.

This is an explanation from Magento team when 1.9.4.0 was released:

Note that after updating to this release, third-party modules that depend upon Magento core backup functionality will no longer work. Alternatively, you can use one of these two methods to enable database backups:

Change false to true in the config > modules > Mage_Backup > active setting of app/etc/modules/Mage_All.xml.
From the Admin, change the System > Configuration > Advanced > Disable Modules Output > Mage_Backup from disabled to enabled.

At a first evaluation I would not vote to remove the module from the OpenMage code.

[addison74]

I tried to understand why this module was disabled in 1.9.4.0, given that backing up this way from Backend was a handy solution for small and medium-sized stores. The Magento team made only a brief statement: "It no longer meets compliance requirements. Saved backups should be encrypted".

Instead of finding a solution to this issue they chose to disable it. Over time starting with November 2018 there have been discussions that if it is enabled it creates a security hole in Magento. This created a false impression about this module, when in fact the issue was completely different. If someone gets backups they can use the information, some of them confidential about sales, customers.

If what is saved by this module is secured and protected from being accessed from outside then there would be no issues. Whoever has access to a server will not be interested in the files located in /var/backup when he can access any information in the file system and database.

This module can be left alone in OpenMage and if data security over backups is ensured it can be enabled by those who need it. Reading the forums of the time there were enough who missed it. If you choose to remove it through PR #2259 please offer in README.md alternative solutions for making backups. At that time Magento showed a couple but the link is no longer available and it doesn't exist in the Internet Archive.

[kiatng]

@addison74 I appreciate your investigative report. I vote to remove it as it increases the attack surface. It's a security liability.