btrbk: add supoort for "backend btrfs-progs-sudo" option; adaptions in ssh_filter_btrbk.sh

ChangeLog

@@ -1,6 +1,7 @@
 btrbk-current
 
   * Allow converting backup disks to source disks (close #114).
+  * Add "backend btrfs-progs-sudo" configuration option (close #115).
   * Show aggregate "size" and "used" for "usage" action (close #119).
   * raw_target_encrypt: Always set "gpg --no-random-seed-file":
     prevents creation of "~/.gnupg/random_seed" with slight perfomance

README.md

@@ -406,15 +406,21 @@ Please refer to [ssh_filter_btrbk(1)] for a description of the
 of the "authorized_keys" file format.
 
 Also consider setting up ssh access for a user dedicated to btrbk and
-either set suid root on ssh_filter_btrbk.sh or use the "--sudo" option
+choose either:
-and configure /etc/sudoers accordingly. For even more security, you
+
-can setup a chroot environment in /etc/ssh/sshd_config (see
+  - `backend btrfs-progs-btrbk` to completely get rid of
-[sshd_config(5)]).
+    ssh_filter_btrbk.sh, in conjunction with [btrfs-progs-btrbk],
+  - `backend btrfs-progs-sudo`, configure /etc/sudoers, and consider
+    using "ssh_filter_btrbk.sh --sudo" option.
+
+For even more security, set up a chroot environment in
+/etc/ssh/sshd_config (see [sshd_config(5)]).
 
 
   [ssh_filter_btrbk(1)]: http://digint.ch/btrbk/doc/ssh_filter_btrbk.html
   [sshd(8)]: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8
   [sshd_config(5)]: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5
+  [btrfs-progs-btrbk]: https://github.com/digint/btrfs-progs-btrbk
 
 
 Restoring Backups

btrbk

@@ -124,9 +124,9 @@ my %config_options = (
 
   group                       => { default => undef,     accept_regexp => qr/^$group_match(\s*,\s*$group_match)*$/, split => qr/\s*,\s*/ },
 
-  backend                     => { default => "btrfs-progs", accept => [       "btrfs-progs", "btrfs-progs-btrbk" ] },
+  backend                     => { default => "btrfs-progs", accept => [       "btrfs-progs", "btrfs-progs-btrbk", "btrfs-progs-sudo" ] },
-  backend_local               => { default => undef,         accept => [ "no", "btrfs-progs", "btrfs-progs-btrbk" ] },
+  backend_local               => { default => undef,         accept => [ "no", "btrfs-progs", "btrfs-progs-btrbk", "btrfs-progs-sudo" ] },
-  backend_remote              => { default => undef,         accept => [ "no", "btrfs-progs", "btrfs-progs-btrbk" ] },
+  backend_remote              => { default => undef,         accept => [ "no", "btrfs-progs", "btrfs-progs-btrbk", "btrfs-progs-sudo" ] },
 
   # deprecated options
   btrfs_progs_compat          => { default => undef, accept => [ "yes", "no" ],
@@ -219,6 +219,13 @@ my %backend_cmd_map = (
                            "btrfs send"               => [ "btrfs-send"               ],
                            "btrfs receive"            => [ "btrfs-receive"            ],
                          },
+  "btrfs-progs-sudo" =>  { "btrfs subvolume list"     => [ "sudo", "-n", "btrfs", "subvolume", "list"     ],
+                           "btrfs subvolume show"     => [ "sudo", "-n", "btrfs", "subvolume", "show"     ],
+                           "btrfs subvolume snapshot" => [ "sudo", "-n", "btrfs", "subvolume", "snapshot" ],
+                           "btrfs subvolume delete"   => [ "sudo", "-n", "btrfs", "subvolume", "delete"   ],
+                           "btrfs send"               => [ "sudo", "-n", "btrfs", "send"                  ],
+                           "btrfs receive"            => [ "sudo", "-n", "btrfs", "receive"               ],
+                         },
 );
 
 my %url_cache;       # map URL to btr_tree node

doc/btrbk.conf.5

@@ -279,18 +279,29 @@ If set, make sure the deletion of snapshot and backup subvolumes are
 committed to disk when btrbk terminates. Defaults to \[lq]no\[rq].
 .RE
 .PP
-\fBbackend\fR  btrfs-progs|btrfs-progs-btrbk  \fI*experimental*\fR
+\fBbackend\fR  btrfs-progs|btrfs-progs-btrbk|btrfs-progs-sudo
 .RS 4
-Btrfs filesystem utilities to be used for subvolume operations. If set
+Backend filesystem utilities to be used for btrfs specific operations. The
+default \[lq]btrfs-progs\[rq] simply executes btrfs(8) commands groups
+(e.g. "btrfs subvolume show").
+.IP \[bu] 2
+If set
 to \[lq]btrfs-progs-btrbk\[rq], specific btrfs(8) commands groups
 needs to be separated by a dash instead of a whitespace
 (e.g. "btrfs-subvolume-show" instead of "btrfs subvolume
 show"). Useful for setting suid or file capabilities (setcap) on
 specific btrfs commands, as implemented in
-<https://github.com/digint/btrfs-progs-btrbk>. For convenience, it is
+<https://github.com/digint/btrfs-progs-btrbk>.
-also possible to set \fIbackend_local\fR or \fIbackend_remote\fR,
+.IP \[bu] 2
-which will override the \fIbackend\fR option for local or remote
+If set to \[lq]btrfs-progs-sudo\[rq], btrfs commands are prefixed with
-sources/targets. Defaults to \[lq]btrfs-progs\[rq].
+"sudo -n" (e.g. "sudo -n btrfs subvolume show" instead of "btrfs
+subvolume show"). Make sure to have apropriate (root) permissions for
+"btrfs" command groups in /etc/sudoers.
+.PP
+For convenience, it is also possible to set \fIbackend_local\fR or
+\fIbackend_remote\fR options, which will override the backend only for
+local or remote sources/targets (e.g. "backend_remote
+btrfs-progs-btrbk").
 .RE
 .PP
 Lines that contain a hash character (#) in the first column are

ssh_filter_btrbk.sh

@@ -6,7 +6,6 @@ set -u
 export PATH=/sbin:/bin:/usr/sbin:/usr/bin
 
 enable_log=
-use_sudo=
 restrict_path_list=
 allow_list=
 allow_exact_list=
@@ -41,7 +40,7 @@ reject_and_die()
 run_cmd()
 {
     log_cmd "auth.info" "btrbk ACCEPT"
-    eval " $use_sudo $SSH_ORIGINAL_COMMAND"
+    eval " $SSH_ORIGINAL_COMMAND"
 }
 
 reject_filtered_cmd()
@@ -83,10 +82,8 @@ reject_filtered_cmd()
 }
 
 
-
+# FIXME: "--sudo" must be set before all other options!
-allow_cmd "btrfs subvolume show"; # subvolume queries are always allowed
+sudo_prefix=
-allow_cmd "btrfs subvolume list"; # subvolume queries are always allowed
-
 while [[ "$#" -ge 1 ]]; do
     key="$1"
 
@@ -96,7 +93,7 @@ while [[ "$#" -ge 1 ]]; do
           ;;
 
       --sudo)
-          use_sudo="sudo"
+          sudo_prefix="sudo -n "
           ;;
 
       -p|--restrict-path)
@@ -105,12 +102,12 @@ while [[ "$#" -ge 1 ]]; do
           ;;
 
       -s|--source)
-          allow_cmd "btrfs subvolume snapshot"
+          allow_cmd "${sudo_prefix}btrfs subvolume snapshot"
-          allow_cmd "btrfs send"
+          allow_cmd "${sudo_prefix}btrfs send"
           ;;
 
       -t|--target)
-          allow_cmd "btrfs receive"
+          allow_cmd "${sudo_prefix}btrfs receive"
           # the following are needed if targets point to a directory
           allow_cmd "readlink"
           allow_exact_cmd "cat /proc/self/mounts"
@@ -121,24 +118,24 @@ while [[ "$#" -ge 1 ]]; do
           ;;
 
       -d|--delete)
-          allow_cmd "btrfs subvolume delete"
+          allow_cmd "${sudo_prefix}btrfs subvolume delete"
           ;;
 
       -i|--info)
-          allow_cmd "btrfs subvolume find-new"
+          allow_cmd "${sudo_prefix}btrfs subvolume find-new"
-          allow_cmd "btrfs filesystem usage"
+          allow_cmd "${sudo_prefix}btrfs filesystem usage"
           ;;
 
       --snapshot)
-          allow_cmd "btrfs subvolume snapshot"
+          allow_cmd "${sudo_prefix}btrfs subvolume snapshot"
           ;;
 
       --send)
-          allow_cmd "btrfs send"
+          allow_cmd "${sudo_prefix}btrfs send"
           ;;
 
       --receive)
-          allow_cmd "btrfs receive"
+          allow_cmd "${sudo_prefix}btrfs receive"
           ;;
 
       *)
@@ -149,6 +146,9 @@ while [[ "$#" -ge 1 ]]; do
     shift
 done
 
+allow_cmd "${sudo_prefix}btrfs subvolume show"; # subvolume queries are always allowed
+allow_cmd "${sudo_prefix}btrfs subvolume list"; # subvolume queries are always allowed
+
 # remove leading "|" on alternation lists
 allow_list=${allow_list#\|}
 allow_exact_list=${allow_exact_list#\|}