This commit adds a function which checks whether a pathname is absolute and
rejects and values to the `--restrict-path`-option which are not.
The idea here is mostly a safeguard for users to prevent accidentally specified
non-absolute pathnames, which would be taken relative to the executing user’s
home-directory.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Previously, pathnames specified via the `--restrict-path`-option had only a
single trailing `/`, if any, stripped.
This commit adds (and utilises) a function which normalises pathnames as
described in its comments.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
• In principle the special `IFS`-variable could be set to some unexpected non-
standard value.
Unsetting it causes its default to be used.
• Locales and in particular their characters sets are quite complex in POSIX and
may have many subtle implications.
For example, the pattern matching notation (used in `case`-compound-commands
or some forms of parameter expansion) are in principle only defined for
character strings. While some shells handle it gracefully, the behaviour is
undefined if, for example, the character set is UTF-8 and a variable contains
bytes that do not form valid caracters in that.
Actually, there are quite some more implications.
Also, pathnames, in POSIX, are strings of bytes excluding 0x0.
For these reasons, the locale is set to the `C`/`POSIX`-locale.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
• Set shell options in one command.
• Homogeneously use local variables for function positional parameters in all
places.
• In redirections, omit `1` for standard output.
• Homogeneously use `if`-compount-commands instead of `[ … ] && …` in all
places.
• Homogeneously use curly brackets with parameter expansion.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
OpenSSH’s environment variable `SSH_CLIENT` has been deprecated in upstream
commit f37e246f858cdd79be4f4e158b7b04778d1cb7e9 (2002-09-19) and replaced by
`SSH_CONNECTION`.
Both contain more than just the remote information, thus adapted the log message
to reflect that.
Since this might be used by 3rd-party programs (like fail2ban), added a specific
note to the changelog.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
POSIX designates a number of exit statuses around `127` for special use and GNU
a few further.
Further, using values >127 is rather uncommon for normal use-cases.
Use `1` when the SSH command was rejected and `2` when the program’s arguments
could not be parsed).
Since this might at least in principle be used by 3rd-party programs, added a
specific note to the changelog.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
In spirit, POSIX considers `echo` rather obsolete (it was just kept because of
its widespread use).
It’s also not possible to use `echo` portably unless it’s `-n`-option (as the
first argument) and escape sequences are omitted.
While neither was the case here, it’s better style to just always use `printf`
in order to avoid any future confusion when both are used.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
This commit finishes the work from the previous one and converts
ssh_filter_btrbk.sh to (mostly) pure POSIX Shell Command Language.
Instead of bash’s `=~`-operator for its `[[ … ]]`-compound-command it uses
`grep`.
At the time of writing, bash has at least the `nocasematch`-shell-option which
would have a negatve security impact for this program. While it’s not enabled
per default single users could potentially change that, not realising the
consequences.
Thus, moving away from this may also provide some hardening.
Unlike bash’s `=~`-operator, which matches against the whole string at once,
`grep` matches the pattern against each line of input.
This would allow for attacks by including a newline in the SSH command like in:
SSH_ORIGINAL_COMMAND="readlink /dev/stdout
cat /etc/shadow"
but is prevented by the general exclusion of newlines in commit TODO.
`grep` may return an exit status of `0` when used with its `-q`-option, even
when an error occurred.
Since this program is intended specifically for security purposes this shall be
avoided, even if such case is unlikely, and therefore its standard output and
standard error are redirected to `/dev/null` instead.
Further, using just:
local formatted_restrict_path_list="$(printf '%s' "$restrict_path_list" | sed 's/|/", "/g')"
rather than:
local formatted_restrict_path_list=""; formatted_restrict_path_list="$(printf '%s' "$restrict_path_list" | sed 's/|/", "/g')"
prevent `set -e` to take effect if the pipeline within the command substitution
fails, as the returned exit status of the whole command is the result of
`local`, not that of the assignment.
This is however no security problem here, as `formatted_restrict_path_list` is
only used for informative pruposes.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
ssh_filter_btrbk.sh is mainly intended for security purposes and should
therefore itself be written with that in mind.
It is written for bash, which greatly extends the POSIX Shell Command Language
and is incompatible with it in some niche cases.
For several reasons, it seems a good idea to convert the program to (mostly)
pure POSIX Shell Command Language:
• People may try to use the program with other shells (for example when bash is
not available) and make errors.
More pure `sh` implementations like dash …
• … have far less code and also less dependencies, which possibly also reduces
the chance for bugs or exploits,
• … are less dynamic in development (and have thus possibly a lower chance of
incompatible changes) …
• … and may run faster.
This commit replaces any unnecessary “bashishms” with purely POSIX compatible
code, with the exception of the `local`-built-in, which is however supported by
most POSIX compatible shells (including dash, klibc-utils’s `sh` and BusyBox’
`sh`) in some way.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Double quote any variable expansions that might ever contain field separators.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
In strings that don’t contain `'` nor do any expansions, use single quotes to
avoid any future unintended expansions or escapes.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
This adds support for bzip3 [1].
[1] https://github.com/kspalaiologos/bzip3
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Cosmetics: swap order pbzip2 / bzip3
Signed-off-by: Axel Burri <axel@tty0.ch>
`mydomain.com` is actually a real domain and shouln’t be used in examples.
RFC 2606 (respectively RFC 6761) reserves `example.org` (and others) for that
purpose.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Since `btrbk` executes only commands, it shouldn’t need any of what’s currently
disabled with the `restrict` flag in the `authorized_keys` file, that is:
Port-, agent- and X11-forwarding as well as PTY allocation and execution of
`~/.ssh/rc`.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
A redirection (e.g. `echo foo > bar.info`) can cause empty (zero-size)
files in some circumstances.
We still write INCOMPLETE=1 to the info file before send/receive, but
instead of re-creating it without the INCOMPLETE flag, we append
INCOMPLETE=0 (keeping up compatibility with old versions of btrbk).
Ref: 4e5ae975d8 btrbk: ignore zero-size info files
When backuping from devices that have configured to use raw backup and
that might disconnect from the network (ie. laptops) you end up once in
a while with 0 size info file (and backup file).
btrbk don't know how to handle 0 file and stop backing up until the zero
size file is removed.
With this change 0 size info file will be ignored, and hence the backup
for the given backup will be redone.
Signed-off-by: Matthieu Patou <mat@matws.net>
Warning for btrfs_commit_delete is always printed, regardless of the
(possibly valid) values.
regression in btrbk-0.32.3
687e0508b7 btrbk: tidy deprecation warnings
It is perfectly ok to run btrbk without ssh_identity (using ssh
defaults), printing a warning if the option is not set is wrong.
Instead, hackily check for ssh_identity on ssh errors, and give a hint
in the error message.
Deleting multiple subvolumes at once always caused the problem that we
need to parse stderr of "rm" and "btrfs subvolume delete" in order to
know which subvolume actually failed, which is problematic (version
dependent, language dependent). Also, we would need to restrict the
number of subvolumes based on the maximum allowed length for shell
commands, which is system-dependent (check `getconf ARG_MAX`).
Deleting subvolumes sequentially has slightly negative impact on
execution time (multiple rsh commands), with the benefit of being more
robust and reducing the codesize.
Christoph Anton Mitterer