diff --git a/ChangeLog b/ChangeLog index 1184503..dde290c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ btrbk-current * Allow converting backup disks to source disks (close #114). + * Add "backend btrfs-progs-sudo" configuration option (close #115). * Show aggregate "size" and "used" for "usage" action (close #119). * raw_target_encrypt: Always set "gpg --no-random-seed-file": prevents creation of "~/.gnupg/random_seed" with slight perfomance diff --git a/README.md b/README.md index 28c3ede..417a14a 100644 --- a/README.md +++ b/README.md @@ -406,15 +406,21 @@ Please refer to [ssh_filter_btrbk(1)] for a description of the of the "authorized_keys" file format. Also consider setting up ssh access for a user dedicated to btrbk and -either set suid root on ssh_filter_btrbk.sh or use the "--sudo" option -and configure /etc/sudoers accordingly. For even more security, you -can setup a chroot environment in /etc/ssh/sshd_config (see -[sshd_config(5)]). +choose either: + + - `backend btrfs-progs-btrbk` to completely get rid of + ssh_filter_btrbk.sh, in conjunction with [btrfs-progs-btrbk], + - `backend btrfs-progs-sudo`, configure /etc/sudoers, and consider + using "ssh_filter_btrbk.sh --sudo" option. + +For even more security, set up a chroot environment in +/etc/ssh/sshd_config (see [sshd_config(5)]). [ssh_filter_btrbk(1)]: http://digint.ch/btrbk/doc/ssh_filter_btrbk.html [sshd(8)]: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8 [sshd_config(5)]: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5 + [btrfs-progs-btrbk]: https://github.com/digint/btrfs-progs-btrbk Restoring Backups diff --git a/btrbk b/btrbk index 95539ef..df86a4c 100755 --- a/btrbk +++ b/btrbk @@ -124,9 +124,9 @@ my %config_options = ( group => { default => undef, accept_regexp => qr/^$group_match(\s*,\s*$group_match)*$/, split => qr/\s*,\s*/ }, - backend => { default => "btrfs-progs", accept => [ "btrfs-progs", "btrfs-progs-btrbk" ] }, - backend_local => { default => undef, accept => [ "no", "btrfs-progs", "btrfs-progs-btrbk" ] }, - backend_remote => { default => undef, accept => [ "no", "btrfs-progs", "btrfs-progs-btrbk" ] }, + backend => { default => "btrfs-progs", accept => [ "btrfs-progs", "btrfs-progs-btrbk", "btrfs-progs-sudo" ] }, + backend_local => { default => undef, accept => [ "no", "btrfs-progs", "btrfs-progs-btrbk", "btrfs-progs-sudo" ] }, + backend_remote => { default => undef, accept => [ "no", "btrfs-progs", "btrfs-progs-btrbk", "btrfs-progs-sudo" ] }, # deprecated options btrfs_progs_compat => { default => undef, accept => [ "yes", "no" ], @@ -219,6 +219,13 @@ my %backend_cmd_map = ( "btrfs send" => [ "btrfs-send" ], "btrfs receive" => [ "btrfs-receive" ], }, + "btrfs-progs-sudo" => { "btrfs subvolume list" => [ "sudo", "-n", "btrfs", "subvolume", "list" ], + "btrfs subvolume show" => [ "sudo", "-n", "btrfs", "subvolume", "show" ], + "btrfs subvolume snapshot" => [ "sudo", "-n", "btrfs", "subvolume", "snapshot" ], + "btrfs subvolume delete" => [ "sudo", "-n", "btrfs", "subvolume", "delete" ], + "btrfs send" => [ "sudo", "-n", "btrfs", "send" ], + "btrfs receive" => [ "sudo", "-n", "btrfs", "receive" ], + }, ); my %url_cache; # map URL to btr_tree node diff --git a/doc/btrbk.conf.5 b/doc/btrbk.conf.5 index 91de077..e2e11ea 100644 --- a/doc/btrbk.conf.5 +++ b/doc/btrbk.conf.5 @@ -279,18 +279,29 @@ If set, make sure the deletion of snapshot and backup subvolumes are committed to disk when btrbk terminates. Defaults to \[lq]no\[rq]. .RE .PP -\fBbackend\fR btrfs-progs|btrfs-progs-btrbk \fI*experimental*\fR +\fBbackend\fR btrfs-progs|btrfs-progs-btrbk|btrfs-progs-sudo .RS 4 -Btrfs filesystem utilities to be used for subvolume operations. If set +Backend filesystem utilities to be used for btrfs specific operations. The +default \[lq]btrfs-progs\[rq] simply executes btrfs(8) commands groups +(e.g. "btrfs subvolume show"). +.IP \[bu] 2 +If set to \[lq]btrfs-progs-btrbk\[rq], specific btrfs(8) commands groups needs to be separated by a dash instead of a whitespace (e.g. "btrfs-subvolume-show" instead of "btrfs subvolume show"). Useful for setting suid or file capabilities (setcap) on specific btrfs commands, as implemented in -. For convenience, it is -also possible to set \fIbackend_local\fR or \fIbackend_remote\fR, -which will override the \fIbackend\fR option for local or remote -sources/targets. Defaults to \[lq]btrfs-progs\[rq]. +. +.IP \[bu] 2 +If set to \[lq]btrfs-progs-sudo\[rq], btrfs commands are prefixed with +"sudo -n" (e.g. "sudo -n btrfs subvolume show" instead of "btrfs +subvolume show"). Make sure to have apropriate (root) permissions for +"btrfs" command groups in /etc/sudoers. +.PP +For convenience, it is also possible to set \fIbackend_local\fR or +\fIbackend_remote\fR options, which will override the backend only for +local or remote sources/targets (e.g. "backend_remote +btrfs-progs-btrbk"). .RE .PP Lines that contain a hash character (#) in the first column are diff --git a/ssh_filter_btrbk.sh b/ssh_filter_btrbk.sh index 273abab..349d476 100755 --- a/ssh_filter_btrbk.sh +++ b/ssh_filter_btrbk.sh @@ -6,7 +6,6 @@ set -u export PATH=/sbin:/bin:/usr/sbin:/usr/bin enable_log= -use_sudo= restrict_path_list= allow_list= allow_exact_list= @@ -41,7 +40,7 @@ reject_and_die() run_cmd() { log_cmd "auth.info" "btrbk ACCEPT" - eval " $use_sudo $SSH_ORIGINAL_COMMAND" + eval " $SSH_ORIGINAL_COMMAND" } reject_filtered_cmd() @@ -83,10 +82,8 @@ reject_filtered_cmd() } - -allow_cmd "btrfs subvolume show"; # subvolume queries are always allowed -allow_cmd "btrfs subvolume list"; # subvolume queries are always allowed - +# FIXME: "--sudo" must be set before all other options! +sudo_prefix= while [[ "$#" -ge 1 ]]; do key="$1" @@ -96,7 +93,7 @@ while [[ "$#" -ge 1 ]]; do ;; --sudo) - use_sudo="sudo" + sudo_prefix="sudo -n " ;; -p|--restrict-path) @@ -105,12 +102,12 @@ while [[ "$#" -ge 1 ]]; do ;; -s|--source) - allow_cmd "btrfs subvolume snapshot" - allow_cmd "btrfs send" + allow_cmd "${sudo_prefix}btrfs subvolume snapshot" + allow_cmd "${sudo_prefix}btrfs send" ;; -t|--target) - allow_cmd "btrfs receive" + allow_cmd "${sudo_prefix}btrfs receive" # the following are needed if targets point to a directory allow_cmd "readlink" allow_exact_cmd "cat /proc/self/mounts" @@ -121,24 +118,24 @@ while [[ "$#" -ge 1 ]]; do ;; -d|--delete) - allow_cmd "btrfs subvolume delete" + allow_cmd "${sudo_prefix}btrfs subvolume delete" ;; -i|--info) - allow_cmd "btrfs subvolume find-new" - allow_cmd "btrfs filesystem usage" + allow_cmd "${sudo_prefix}btrfs subvolume find-new" + allow_cmd "${sudo_prefix}btrfs filesystem usage" ;; --snapshot) - allow_cmd "btrfs subvolume snapshot" + allow_cmd "${sudo_prefix}btrfs subvolume snapshot" ;; --send) - allow_cmd "btrfs send" + allow_cmd "${sudo_prefix}btrfs send" ;; --receive) - allow_cmd "btrfs receive" + allow_cmd "${sudo_prefix}btrfs receive" ;; *) @@ -149,6 +146,9 @@ while [[ "$#" -ge 1 ]]; do shift done +allow_cmd "${sudo_prefix}btrfs subvolume show"; # subvolume queries are always allowed +allow_cmd "${sudo_prefix}btrfs subvolume list"; # subvolume queries are always allowed + # remove leading "|" on alternation lists allow_list=${allow_list#\|} allow_exact_list=${allow_exact_list#\|}