ssh_filter_btrbk.sh: convert to POSIX sh
This commit finishes the work from the previous one and converts
ssh_filter_btrbk.sh to (mostly) pure POSIX Shell Command Language.
Instead of bash’s `=~`-operator for its `[[ … ]]`-compound-command it uses
`grep`.
At the time of writing, bash has at least the `nocasematch`-shell-option which
would have a negatve security impact for this program. While it’s not enabled
per default single users could potentially change that, not realising the
consequences.
Thus, moving away from this may also provide some hardening.
Unlike bash’s `=~`-operator, which matches against the whole string at once,
`grep` matches the pattern against each line of input.
This would allow for attacks by including a newline in the SSH command like in:
SSH_ORIGINAL_COMMAND="readlink /dev/stdout
cat /etc/shadow"
but is prevented by the general exclusion of newlines in commit TODO.
`grep` may return an exit status of `0` when used with its `-q`-option, even
when an error occurred.
Since this program is intended specifically for security purposes this shall be
avoided, even if such case is unlikely, and therefore its standard output and
standard error are redirected to `/dev/null` instead.
Further, using just:
local formatted_restrict_path_list="$(printf '%s' "$restrict_path_list" | sed 's/|/", "/g')"
rather than:
local formatted_restrict_path_list=""; formatted_restrict_path_list="$(printf '%s' "$restrict_path_list" | sed 's/|/", "/g')"
prevent `set -e` to take effect if the pipeline within the command substitution
fails, as the returned exit status of the whole command is the result of
`local`, not that of the assignment.
This is however no security problem here, as `formatted_restrict_path_list` is
only used for informative pruposes.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
2022-11-21 04:33:10 +01:00
|
|
|
|
#!/bin/sh
|
2015-02-09 11:42:44 +01:00
|
|
|
|
|
2022-11-22 00:09:31 +01:00
|
|
|
|
# initialise and sanitise the shell execution environment
|
|
|
|
|
|
unset -v IFS
|
|
|
|
|
|
export LC_ALL=C
|
|
|
|
|
|
export PATH='/sbin:/bin:/usr/sbin:/usr/bin'
|
2015-07-08 14:54:56 +02:00
|
|
|
|
|
2022-11-22 00:09:31 +01:00
|
|
|
|
set -e -u
|
2015-02-09 11:42:44 +01:00
|
|
|
|
|
2015-07-08 14:54:56 +02:00
|
|
|
|
enable_log=
|
2015-09-02 19:20:58 +02:00
|
|
|
|
restrict_path_list=
|
|
|
|
|
|
allow_list=
|
2016-03-31 14:30:53 +02:00
|
|
|
|
allow_exact_list=
|
2017-03-17 20:39:51 +01:00
|
|
|
|
allow_rate_limit=1
|
2017-08-21 14:39:40 +02:00
|
|
|
|
allow_stream_buffer=1
|
2017-03-17 21:35:16 +01:00
|
|
|
|
allow_compress=1
|
2022-11-15 19:49:30 +01:00
|
|
|
|
compress_list='gzip|pigz|bzip2|pbzip2|bzip3|xz|lzop|lz4|zstd'
|
2015-02-09 11:42:44 +01:00
|
|
|
|
|
2018-10-10 22:43:28 +02:00
|
|
|
|
# note that the backslash is NOT a metacharacter in a POSIX bracket expression!
|
|
|
|
|
|
option_match='-[a-zA-Z0-9=-]+' # matches short as well as long options
|
2022-11-21 22:12:13 +01:00
|
|
|
|
file_match_sane='/[0-9a-zA-Z_@+./-]*' # matches file path (equal to ${file_match} in btrbk < 0.32.0)
|
2021-07-14 20:34:40 +02:00
|
|
|
|
file_match="/[^']*" # btrbk >= 0.32.0 quotes file arguments: match all but single quote
|
|
|
|
|
|
file_arg_match="('${file_match}'|${file_match_sane})" # support btrbk < 0.32.0
|
2018-10-10 22:43:28 +02:00
|
|
|
|
|
2015-07-08 18:05:39 +02:00
|
|
|
|
log_cmd()
|
2015-02-09 11:42:44 +01:00
|
|
|
|
{
|
2022-11-21 22:12:13 +01:00
|
|
|
|
local priority="$1"
|
|
|
|
|
|
local authorisation_decision="$2"
|
|
|
|
|
|
local reason="${3-}"
|
|
|
|
|
|
|
|
|
|
|
|
if [ -n "${enable_log}" ]; then
|
|
|
|
|
|
logger -p "${priority}" -t ssh_filter_btrbk.sh "${authorisation_decision} (Name: ${LOGNAME:-<unknown>}; Connection: ${SSH_CONNECTION:-<unknown>})${reason:+: ${reason}}: ${SSH_ORIGINAL_COMMAND}"
|
2015-02-09 11:42:44 +01:00
|
|
|
|
fi
|
2015-07-08 18:05:39 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-09-02 19:20:58 +02:00
|
|
|
|
allow_cmd()
|
|
|
|
|
|
{
|
2022-11-21 22:12:13 +01:00
|
|
|
|
local cmd="$1"
|
|
|
|
|
|
|
|
|
|
|
|
allow_list="${allow_list}|${cmd}"
|
2015-09-02 19:20:58 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2016-03-31 14:30:53 +02:00
|
|
|
|
allow_exact_cmd()
|
|
|
|
|
|
{
|
2022-11-21 22:12:13 +01:00
|
|
|
|
local cmd="$1"
|
|
|
|
|
|
|
|
|
|
|
|
allow_exact_list="${allow_exact_list}|${cmd}"
|
2016-03-31 14:30:53 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-07-08 18:05:39 +02:00
|
|
|
|
reject_and_die()
|
|
|
|
|
|
{
|
2022-11-15 19:55:23 +01:00
|
|
|
|
local reason="$1"
|
2022-11-21 22:12:13 +01:00
|
|
|
|
|
|
|
|
|
|
log_cmd 'auth.err' 'btrbk REJECT' "${reason}"
|
|
|
|
|
|
printf 'ERROR: ssh_filter_btrbk.sh: ssh command rejected: %s: %s\n' "${reason}" "${SSH_ORIGINAL_COMMAND}" >&2
|
2019-08-18 13:49:37 +02:00
|
|
|
|
exit 255
|
2015-02-09 11:42:44 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
run_cmd()
|
|
|
|
|
|
{
|
2022-11-15 19:49:30 +01:00
|
|
|
|
log_cmd 'auth.info' 'btrbk ACCEPT'
|
2022-11-21 22:12:13 +01:00
|
|
|
|
eval " ${SSH_ORIGINAL_COMMAND}"
|
2015-09-02 19:20:58 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
reject_filtered_cmd()
|
|
|
|
|
|
{
|
2022-11-21 22:12:13 +01:00
|
|
|
|
if [ -n "${restrict_path_list}" ]; then
|
2021-07-14 20:34:40 +02:00
|
|
|
|
# match any of restrict_path_list,
|
2015-09-02 19:20:58 +02:00
|
|
|
|
# or any file/directory (matching file_match) below restrict_path
|
2021-07-14 20:34:40 +02:00
|
|
|
|
path_match="'(${restrict_path_list})(${file_match})?'"
|
|
|
|
|
|
path_match_legacy="(${restrict_path_list})(${file_match_sane})?"
|
2015-09-02 19:20:58 +02:00
|
|
|
|
else
|
|
|
|
|
|
# match any absolute file/directory (matching file_match)
|
2021-07-14 20:34:40 +02:00
|
|
|
|
path_match="'${file_match}'"
|
|
|
|
|
|
path_match_legacy="${file_match_sane}"
|
2015-09-02 19:20:58 +02:00
|
|
|
|
fi
|
2021-07-14 20:34:40 +02:00
|
|
|
|
# btrbk >= 0.32.0 quotes files, allow both (legacy)
|
|
|
|
|
|
path_match="(${path_match}|${path_match_legacy})"
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
2022-11-21 22:12:13 +01:00
|
|
|
|
if [ -n "${allow_compress}" ]; then
|
2019-07-30 21:50:52 +02:00
|
|
|
|
decompress_match="(${compress_list}) -d -c( -[pT][0-9]+)?"
|
|
|
|
|
|
compress_match="(${compress_list}) -c( -[0-9])?( -[pT][0-9]+)?"
|
2016-08-18 17:41:26 +02:00
|
|
|
|
else
|
|
|
|
|
|
decompress_match=
|
|
|
|
|
|
compress_match=
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
2019-07-30 21:50:52 +02:00
|
|
|
|
# rate_limit_remote and stream_buffer_remote use combined
|
|
|
|
|
|
# "mbuffer" as of btrbk-0.29.0
|
2022-11-21 22:12:13 +01:00
|
|
|
|
if [ -n "${allow_stream_buffer}" ] || [ -n "${allow_rate_limit}" ]; then
|
2022-11-15 19:49:30 +01:00
|
|
|
|
mbuffer_match='mbuffer -v 1 -q( -s [0-9]+[kmgKMG]?)?( -m [0-9]+[kmgKMG]?)?( -[rR] [0-9]+[kmgtKMGT]?)?'
|
2017-08-21 14:39:40 +02:00
|
|
|
|
else
|
2019-07-30 21:50:52 +02:00
|
|
|
|
mbuffer_match=
|
2017-03-17 20:39:51 +01:00
|
|
|
|
fi
|
|
|
|
|
|
|
2015-09-02 19:20:58 +02:00
|
|
|
|
# allow multiple paths (e.g. "btrfs subvolume snapshot <src> <dst>")
|
2019-07-30 21:50:52 +02:00
|
|
|
|
allow_cmd_match="(${allow_list})( ${option_match})*( ${path_match})+"
|
|
|
|
|
|
stream_in_match="(${decompress_match} \| )?(${mbuffer_match} \| )?"
|
|
|
|
|
|
stream_out_match="( \| ${mbuffer_match})?( \| ${compress_match}$)?"
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
ssh_filter_btrbk.sh: convert to POSIX sh
This commit finishes the work from the previous one and converts
ssh_filter_btrbk.sh to (mostly) pure POSIX Shell Command Language.
Instead of bash’s `=~`-operator for its `[[ … ]]`-compound-command it uses
`grep`.
At the time of writing, bash has at least the `nocasematch`-shell-option which
would have a negatve security impact for this program. While it’s not enabled
per default single users could potentially change that, not realising the
consequences.
Thus, moving away from this may also provide some hardening.
Unlike bash’s `=~`-operator, which matches against the whole string at once,
`grep` matches the pattern against each line of input.
This would allow for attacks by including a newline in the SSH command like in:
SSH_ORIGINAL_COMMAND="readlink /dev/stdout
cat /etc/shadow"
but is prevented by the general exclusion of newlines in commit TODO.
`grep` may return an exit status of `0` when used with its `-q`-option, even
when an error occurred.
Since this program is intended specifically for security purposes this shall be
avoided, even if such case is unlikely, and therefore its standard output and
standard error are redirected to `/dev/null` instead.
Further, using just:
local formatted_restrict_path_list="$(printf '%s' "$restrict_path_list" | sed 's/|/", "/g')"
rather than:
local formatted_restrict_path_list=""; formatted_restrict_path_list="$(printf '%s' "$restrict_path_list" | sed 's/|/", "/g')"
prevent `set -e` to take effect if the pipeline within the command substitution
fails, as the returned exit status of the whole command is the result of
`local`, not that of the assignment.
This is however no security problem here, as `formatted_restrict_path_list` is
only used for informative pruposes.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
2022-11-21 04:33:10 +01:00
|
|
|
|
# `grep`’s `-q`-option is not used as it may cause an exit status of `0` even
|
|
|
|
|
|
# when an error occurred.
|
|
|
|
|
|
|
2019-07-30 21:50:52 +02:00
|
|
|
|
allow_stream_match="^${stream_in_match}${allow_cmd_match}${stream_out_match}"
|
2022-11-21 22:12:13 +01:00
|
|
|
|
if printf '%s' "${SSH_ORIGINAL_COMMAND}" | grep -E "${allow_stream_match}" >/dev/null 2>/dev/null; then
|
2016-03-31 14:30:53 +02:00
|
|
|
|
return 0
|
2015-09-02 19:20:58 +02:00
|
|
|
|
fi
|
2016-03-31 14:30:53 +02:00
|
|
|
|
|
2021-03-21 12:53:22 +01:00
|
|
|
|
exact_cmd_match="^(${allow_exact_list})$";
|
2022-11-21 22:12:13 +01:00
|
|
|
|
if printf '%s' "${SSH_ORIGINAL_COMMAND}" | grep -E "${exact_cmd_match}" >/dev/null 2>/dev/null; then
|
2016-03-31 14:30:53 +02:00
|
|
|
|
return 0
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
2022-11-21 22:12:13 +01:00
|
|
|
|
local formatted_restrict_path_list="$(printf '%s' "${restrict_path_list}" | sed 's/|/", "/g')"
|
|
|
|
|
|
reject_and_die "disallowed command${restrict_path_list:+ (restrict-path: \"${formatted_restrict_path_list}\")}"
|
2015-02-09 11:42:44 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
2017-03-17 21:22:13 +01:00
|
|
|
|
# check for "--sudo" option before processing other options
|
2016-11-21 14:15:57 +01:00
|
|
|
|
sudo_prefix=
|
2022-11-21 04:10:34 +01:00
|
|
|
|
for key in "$@"; do
|
2022-11-21 22:12:13 +01:00
|
|
|
|
if [ "${key}" = '--sudo' ]; then
|
|
|
|
|
|
sudo_prefix='sudo -n '
|
|
|
|
|
|
fi
|
|
|
|
|
|
if [ "${key}" = '--doas' ]; then
|
|
|
|
|
|
sudo_prefix='doas -n '
|
|
|
|
|
|
fi
|
2017-03-17 21:22:13 +01:00
|
|
|
|
done
|
|
|
|
|
|
|
2022-11-21 04:10:34 +01:00
|
|
|
|
while [ "$#" -ge 1 ]; do
|
2015-09-02 19:20:58 +02:00
|
|
|
|
key="$1"
|
|
|
|
|
|
|
2022-11-21 22:12:13 +01:00
|
|
|
|
case "${key}" in
|
2015-09-02 19:20:58 +02:00
|
|
|
|
-l|--log)
|
2016-03-31 15:05:08 +02:00
|
|
|
|
enable_log=1
|
|
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
2022-02-08 01:03:32 +01:00
|
|
|
|
--sudo|--doas)
|
2017-03-17 21:22:13 +01:00
|
|
|
|
# already processed above
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
|
|
|
|
|
-p|--restrict-path)
|
2016-03-31 15:05:08 +02:00
|
|
|
|
restrict_path_list="${restrict_path_list}|${2%/}" # add to list while removing trailing slash
|
|
|
|
|
|
shift # past argument
|
|
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
|
|
|
|
|
-s|--source)
|
2016-11-21 14:15:57 +01:00
|
|
|
|
allow_cmd "${sudo_prefix}btrfs subvolume snapshot"
|
|
|
|
|
|
allow_cmd "${sudo_prefix}btrfs send"
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
|
|
|
|
|
-t|--target)
|
2016-11-21 14:15:57 +01:00
|
|
|
|
allow_cmd "${sudo_prefix}btrfs receive"
|
2019-09-26 19:50:23 +02:00
|
|
|
|
allow_cmd "${sudo_prefix}mkdir"
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
2016-08-18 17:41:26 +02:00
|
|
|
|
-c|--compress)
|
2017-03-17 21:35:16 +01:00
|
|
|
|
# deprecated option, compression is always allowed
|
2016-08-18 17:41:26 +02:00
|
|
|
|
;;
|
|
|
|
|
|
|
2015-09-02 19:20:58 +02:00
|
|
|
|
-d|--delete)
|
2016-11-21 14:15:57 +01:00
|
|
|
|
allow_cmd "${sudo_prefix}btrfs subvolume delete"
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
|
|
|
|
|
-i|--info)
|
2016-11-21 14:15:57 +01:00
|
|
|
|
allow_cmd "${sudo_prefix}btrfs subvolume find-new"
|
|
|
|
|
|
allow_cmd "${sudo_prefix}btrfs filesystem usage"
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
|
|
|
|
|
--snapshot)
|
2016-11-21 14:15:57 +01:00
|
|
|
|
allow_cmd "${sudo_prefix}btrfs subvolume snapshot"
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
|
|
|
|
|
--send)
|
2016-11-21 14:15:57 +01:00
|
|
|
|
allow_cmd "${sudo_prefix}btrfs send"
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
|
|
|
|
|
--receive)
|
2016-11-21 14:15:57 +01:00
|
|
|
|
allow_cmd "${sudo_prefix}btrfs receive"
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
|
|
|
|
|
*)
|
2022-11-21 22:12:13 +01:00
|
|
|
|
printf 'ERROR: ssh_filter_btrbk.sh: failed to parse command line option: %s\n' "${key}" >&2
|
2019-08-18 13:49:37 +02:00
|
|
|
|
exit 255
|
2016-03-31 15:05:08 +02:00
|
|
|
|
;;
|
2015-09-02 19:20:58 +02:00
|
|
|
|
esac
|
|
|
|
|
|
shift
|
|
|
|
|
|
done
|
|
|
|
|
|
|
2020-02-09 15:47:05 +01:00
|
|
|
|
# NOTE: subvolume queries are NOT affected by "--restrict-path":
|
2019-11-19 22:07:37 +01:00
|
|
|
|
# btrbk also calls show/list on the mount point of the subvolume
|
2021-07-14 20:34:40 +02:00
|
|
|
|
allow_exact_cmd "${sudo_prefix}btrfs subvolume (show|list)( ${option_match})* ${file_arg_match}";
|
2020-05-24 00:13:10 +02:00
|
|
|
|
allow_cmd "${sudo_prefix}readlink" # resolve symlink
|
2021-07-14 20:34:40 +02:00
|
|
|
|
allow_exact_cmd "${sudo_prefix}test -d ${file_arg_match}" # check directory (only for compat=busybox)
|
2022-11-15 19:49:30 +01:00
|
|
|
|
allow_exact_cmd 'cat /proc/self/mountinfo' # resolve mountpoints
|
|
|
|
|
|
allow_exact_cmd 'cat /proc/self/mounts' # legacy, for btrbk < 0.27.0
|
2016-11-21 14:15:57 +01:00
|
|
|
|
|
2015-09-02 19:20:58 +02:00
|
|
|
|
# remove leading "|" on alternation lists
|
2022-11-15 19:55:23 +01:00
|
|
|
|
allow_list="${allow_list#\|}"
|
|
|
|
|
|
allow_exact_list="${allow_exact_list#\|}"
|
|
|
|
|
|
restrict_path_list="${restrict_path_list#\|}"
|
2015-09-02 19:20:58 +02:00
|
|
|
|
|
2022-11-21 22:12:13 +01:00
|
|
|
|
case "${SSH_ORIGINAL_COMMAND}" in
|
2019-08-16 01:27:43 +02:00
|
|
|
|
*\.\./*) reject_and_die 'directory traversal' ;;
|
2022-11-30 04:29:53 +01:00
|
|
|
|
*'
|
|
|
|
|
|
'*) reject_and_die 'unsafe character LF' ;;
|
2019-08-16 01:27:43 +02:00
|
|
|
|
*\$*) reject_and_die 'unsafe character "$"' ;;
|
|
|
|
|
|
*\&*) reject_and_die 'unsafe character "&"' ;;
|
|
|
|
|
|
*\(*) reject_and_die 'unsafe character "("' ;;
|
|
|
|
|
|
*\{*) reject_and_die 'unsafe character "{"' ;;
|
|
|
|
|
|
*\;*) reject_and_die 'unsafe character ";"' ;;
|
|
|
|
|
|
*\<*) reject_and_die 'unsafe character "<"' ;;
|
|
|
|
|
|
*\>*) reject_and_die 'unsafe character ">"' ;;
|
|
|
|
|
|
*\`*) reject_and_die 'unsafe character "`"' ;;
|
2022-11-21 22:12:13 +01:00
|
|
|
|
*\|*) [ -n "${allow_compress}" ] || [ -n "${allow_rate_limit}" ] || [ -n "${allow_stream_buffer}" ] || reject_and_die 'unsafe character "|"' ;;
|
2015-02-09 11:42:44 +01:00
|
|
|
|
esac
|
2016-08-18 17:41:26 +02:00
|
|
|
|
|
|
|
|
|
|
reject_filtered_cmd
|
|
|
|
|
|
run_cmd
|