From ffba3e47c6caca3aa29970b085e11b41d1e851cd Mon Sep 17 00:00:00 2001 From: Axel Burri Date: Tue, 15 May 2018 00:06:53 +0200 Subject: [PATCH] documentation: ssh_filter_btrbk.1.asciidoc: fixes, cleanup - add add "always allowed" commands (as bullet list) - remove deprecated "-c, --compress" --- doc/ssh_filter_btrbk.1.asciidoc | 35 +++++++++++++++++---------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/doc/ssh_filter_btrbk.1.asciidoc b/doc/ssh_filter_btrbk.1.asciidoc index e9f24f6..3027ea3 100644 --- a/doc/ssh_filter_btrbk.1.asciidoc +++ b/doc/ssh_filter_btrbk.1.asciidoc @@ -17,25 +17,31 @@ SYNOPSIS [literal] ssh_filter_btrbk.sh [-s|--source] [-t|--target] [-d|--delete] - [-c|--compress] [-i|--info] [--snapshot] [--send] [--receive] + [-i|--info] [--snapshot] [--send] [--receive] [-p|--restrict-path ] [-l|--log] [--sudo] DESCRIPTION ----------- -*ssh_filter_btrbk.sh* restricts SSH commands to 'btrfs' commands used -by 'btrbk'. It examines the SSH_ORIGINAL_COMMAND environment variable -(set by sshd) and executes it only if it matches commands used by -'btrbk'. The accepted commands are specified by the "--source", -"--target", "--delete" and "--info" options. +*ssh_filter_btrbk.sh* restricts SSH commands to commands used by +'btrbk'. It examines the SSH_ORIGINAL_COMMAND environment variable +(set by sshd) and executes it only if it contains commands used by +'btrbk'. -Note that the following btrfs commands are always allowed: "btrfs -subvolume show", "btrfs subvolume list". +The accepted commands are specified by the "--source", "--target", +"--delete" and "--info" options. -Note that commands for stream compression (pipes through gzip, pigz, -bzip2, pbzip2, xz, lzop, lz4), rate limiting (pipes through "pv -L"), -and stream buffer (pipes through "mbuffer") are always allowed. +The following commands are always allowed: + + - "btrfs subvolume show" + - "btrfs subvolume list" + - "readlink" + - "cat /proc/self/mounts" + - pipes through "gzip", "pigz", "bzip2", "pbzip2", "xz", "lzop", + "lz4" (stream_compress) + - pipes through "mbuffer" (stream_buffer) + - pipes through "pv -L" (rate_limit) Example line in /root/.ssh/authorized_keys on a backup target host: @@ -50,8 +56,7 @@ OPTIONS "btrfs send". Equivalent to "--snapshot --send". -t, --target:: - Allow commands for backup target: "btrfs receive", "realpath" and - "cat /proc/self/mounts". + Allow commands for backup target: "btrfs receive". -d, --delete:: Allow commands for subvolume deletion: "btrfs subvolume @@ -59,10 +64,6 @@ OPTIONS 'snapshot_preserve_daily' is not set to ``all'', and for backup targets if 'target_preserve_daily' is not set to ``all''. --c, --compress:: - Allow commands for stream compression (pipes through gzip, pigz, - bzip2, pbzip2, xz, lzo, lz4). Needed if 'stream_compress' is set. - -i, --info:: Allow informative commands: "btrfs subvolume find-new", "btrfs filesystem usage". This is used by btrbk 'info' and 'diff'