We don't support families other than "btrbk" yet: timeshift uses
subdirs, and there's too many places where the snapshot_dir is
supposed to be the directory where the snapshots reside in.
If deletion is skipped, we don't have a schedule call on the target,
which is used for --print-schedule text. Add some (rather hacky) code
to be able to also use the schedule result of the backup process.
Note that "no target action" for archive is replaced by "<no_action>",
for consistency with action run:
[-] /path/to/target/snapshot_basename.*
is now displayed as:
<no_action>
A more sophisticated implementation would be to check this after
scheduling, only if the target really needs to be backuped.
We could as well automatically trigger a `btrfs snapshot -r` on target
in these cases, but this seems counter-intuitive.
Sanitize file (or subvolume path) arguments in safe_cmd, effectively
removing leading double slash.
Files originating from "volume /" can be assembled as "//some/subvol",
which is useful internally but undesired as command arguments, as
ancient systems might interpret leading double slash "//" in a special
way.
Posix states:
> A pathname that begins with two successive slashes may be
> interpreted in an implementation-defined manner, although more than
> two leading slashes shall be treated as a single slash.
• In principle the special `IFS`-variable could be set to some unexpected non-
standard value.
Unsetting it causes its default to be used.
• Locales and in particular their characters sets are quite complex in POSIX and
may have many subtle implications.
For example, the pattern matching notation (used in `case`-compound-commands
or some forms of parameter expansion) are in principle only defined for
character strings. While some shells handle it gracefully, the behaviour is
undefined if, for example, the character set is UTF-8 and a variable contains
bytes that do not form valid caracters in that.
Actually, there are quite some more implications.
Also, pathnames, in POSIX, are strings of bytes excluding 0x0.
For these reasons, the locale is set to the `C`/`POSIX`-locale.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
• Set shell options in one command.
• Homogeneously use local variables for function positional parameters in all
places.
• In redirections, omit `1` for standard output.
• Homogeneously use `if`-compount-commands instead of `[ … ] && …` in all
places.
• Homogeneously use curly brackets with parameter expansion.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
OpenSSH’s environment variable `SSH_CLIENT` has been deprecated in upstream
commit f37e246f858cdd79be4f4e158b7b04778d1cb7e9 (2002-09-19) and replaced by
`SSH_CONNECTION`.
Both contain more than just the remote information, thus adapted the log message
to reflect that.
Since this might be used by 3rd-party programs (like fail2ban), added a specific
note to the changelog.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
In spirit, POSIX considers `echo` rather obsolete (it was just kept because of
its widespread use).
It’s also not possible to use `echo` portably unless it’s `-n`-option (as the
first argument) and escape sequences are omitted.
While neither was the case here, it’s better style to just always use `printf`
in order to avoid any future confusion when both are used.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
This commit finishes the work from the previous one and converts
ssh_filter_btrbk.sh to (mostly) pure POSIX Shell Command Language.
Instead of bash’s `=~`-operator for its `[[ … ]]`-compound-command it uses
`grep`.
At the time of writing, bash has at least the `nocasematch`-shell-option which
would have a negatve security impact for this program. While it’s not enabled
per default single users could potentially change that, not realising the
consequences.
Thus, moving away from this may also provide some hardening.
Unlike bash’s `=~`-operator, which matches against the whole string at once,
`grep` matches the pattern against each line of input.
This would allow for attacks by including a newline in the SSH command like in:
SSH_ORIGINAL_COMMAND="readlink /dev/stdout
cat /etc/shadow"
but is prevented by the general exclusion of newlines in commit TODO.
`grep` may return an exit status of `0` when used with its `-q`-option, even
when an error occurred.
Since this program is intended specifically for security purposes this shall be
avoided, even if such case is unlikely, and therefore its standard output and
standard error are redirected to `/dev/null` instead.
Further, using just:
local formatted_restrict_path_list="$(printf '%s' "$restrict_path_list" | sed 's/|/", "/g')"
rather than:
local formatted_restrict_path_list=""; formatted_restrict_path_list="$(printf '%s' "$restrict_path_list" | sed 's/|/", "/g')"
prevent `set -e` to take effect if the pipeline within the command substitution
fails, as the returned exit status of the whole command is the result of
`local`, not that of the assignment.
This is however no security problem here, as `formatted_restrict_path_list` is
only used for informative pruposes.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Axel Burri