ambiser
/
btrbk
mirror of https://github.com/digint/btrbk
9
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ssh_filter_btrbk: accept mbuffer command (stream_compress)

pull/175/merge
Axel Burri 2017-08-21 14:39:40 +02:00
parent 5428e9cd93
commit ee17c1a2b4
3 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -4,6 +4,7 @@ btrbk-current
line option (which is now deprecated). line option (which is now deprecated).
* Add "snapshot" command (close #150). * Add "snapshot" command (close #150).
* Add "--preserve-snapshots" and "--preserve-backups" options. * Add "--preserve-snapshots" and "--preserve-backups" options.
* Bugfix: ssh_filter_btrbk: accept mbuffer command (stream_buffer).
btrbk-0.25.1 btrbk-0.25.1

6
doc/ssh_filter_btrbk.1
View File

@ -1,4 +1,4 @@
.TH "ssh_filter_btrbk" "1" "2017-07-30" "btrbk v0.25.1" "" .TH "ssh_filter_btrbk" "1" "2017-08-21" "btrbk v0.26.0-dev" ""
.\" disable hyphenation .\" disable hyphenation
.nh .nh
.\" disable justification (adjust text to left margin only) .\" disable justification (adjust text to left margin only)
@ -21,8 +21,8 @@ Note that the following btrfs commands are always allowed: "btrfs
subvolume show", "btrfs subvolume list". subvolume show", "btrfs subvolume list".
.PP .PP
Note that commands for stream compression (pipes through gzip, pigz, Note that commands for stream compression (pipes through gzip, pigz,
bzip2, pbzip2, xz, lzo, lz4) as well as rate limiting (pipes through bzip2, pbzip2, xz, lzo, lz4), rate limiting (pipes through "pv -L"),
"pv -L") are always allowed. and stream buffer (pipes through "mbuffer") are always allowed.
.PP .PP
Example line in /root/.ssh/authorized_keys on a backup target host: Example line in /root/.ssh/authorized_keys on a backup target host:
.PP .PP

11
ssh_filter_btrbk.sh
View File

@ -10,6 +10,7 @@ restrict_path_list=
allow_list= allow_list=
allow_exact_list= allow_exact_list=
allow_rate_limit=1 allow_rate_limit=1
allow_stream_buffer=1
allow_compress=1 allow_compress=1
compress_list="gzip|pigz|bzip2|pbzip2|xz|lzo|lz4" compress_list="gzip|pigz|bzip2|pbzip2|xz|lzo|lz4"
@ -67,6 +68,12 @@ reject_filtered_cmd()
compress_match= compress_match=
fi fi
if [[ -n "$allow_stream_buffer" ]]; then
stream_buffer_match="(mbuffer -q -m [0-9]+[kmg]? \| )?"
else
stream_buffer_match=
fi
if [[ -n "$allow_rate_limit" ]]; then if [[ -n "$allow_rate_limit" ]]; then
rate_limit_match="( \| pv -q -L [0-9]+[kmgt]?)?" rate_limit_match="( \| pv -q -L [0-9]+[kmgt]?)?"
else else
@ -74,7 +81,7 @@ reject_filtered_cmd()
fi fi
# allow multiple paths (e.g. "btrfs subvolume snapshot <src> <dst>") # allow multiple paths (e.g. "btrfs subvolume snapshot <src> <dst>")
btrfs_cmd_match="^${decompress_match}(${allow_list})( ${option_match})*( ${path_match})+${compress_match}${rate_limit_match}$" btrfs_cmd_match="^${decompress_match}${stream_buffer_match}(${allow_list})( ${option_match})*( ${path_match})+${compress_match}${rate_limit_match}$"
if [[ $SSH_ORIGINAL_COMMAND =~ $btrfs_cmd_match ]] ; then if [[ $SSH_ORIGINAL_COMMAND =~ $btrfs_cmd_match ]] ; then
return 0 return 0
@ -175,7 +182,7 @@ case "$SSH_ORIGINAL_COMMAND" in
*\<*) reject_and_die "unsafe character" ;; *\<*) reject_and_die "unsafe character" ;;
*\>*) reject_and_die "unsafe character" ;; *\>*) reject_and_die "unsafe character" ;;
*\`*) reject_and_die "unsafe character" ;; *\`*) reject_and_die "unsafe character" ;;
*\|*) [[ -n "$allow_compress" ]] || [[ -n "$allow_rate_limit" ]] || reject_and_die "unsafe character (compression disallowed)" ;; *\|*) [[ -n "$allow_compress" ]] || [[ -n "$allow_rate_limit" ]] || [[ -n "$allow_stream_buffer" ]] || reject_and_die "unsafe character (compression disallowed)" ;;
esac esac
reject_filtered_cmd reject_filtered_cmd