In strings that don’t contain `'` nor do any expansions, use single quotes to
avoid any future unintended expansions or escapes.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
This disallows newline (that is: LF characters) in the SSH command, which could
have been exploited for arbitrary code execution, since commit
77a39282de.
Example:
# export SSH_ORIGINAL_COMMAND=$'readlink /dev/stdout\ncat /etc/shadow'
# ssh_filter_btrbk.sh
Since `readlink` is a generally allowed command, this works with any of
ssh_filter_btrbk.sh’s options.
But most likely, other commands that are “added” via `allow_cmd()` can be used,
too.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
# Please enter the commit message for your changes. Lines starting
# with '#' will be kept; you may remove them yourself if you want to.
# An empty message aborts the commit.
#
# Date: Wed Nov 30 04:29:53 2022 +0100
#
# On branch fix-remote-code-execution
# Your branch and 'origin/fix-remote-code-execution' have diverged,
# and have 1 and 1 different commits each, respectively.
# (use "git pull" to merge the remote branch into yours)
#
# Changes to be committed:
# modified: ssh_filter_btrbk.sh
#
# Untracked files:
# ORIG
#
This adds support for bzip3 [1].
[1] https://github.com/kspalaiologos/bzip3
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Cosmetics: swap order pbzip2 / bzip3
Signed-off-by: Axel Burri <axel@tty0.ch>
Security vulnerability fixed in alternation regex. Specialy crafted
commands may be executed without being propely checked.
Affects all versions >= btrbk-v0.23.0
Regression from:
ccb5ed5e71 ssh_filter_btrbk: allow "realpath" and "cat /proc/self/mounts" on targets
Reported by: @protree (responsible disclosure)
Add compat, compat_local, compat_remote configuration options.
Used for busybox: instead of running `readlink -e` (which is not
available on busybox), run `readlink -f` followed by `test -d`.
btrbk requires "btrfs subvolume list|show" queries from the mount
point in order to build btrfs trees. This conflicts with tightly set
--restrict-path.
It is possible that the subvolume path is not accessible by the user
calling btrbk. When resolving mount points, "readlink" is used on the
path, which also needs to be wrapped with "sudo".
btrbk now runs "btrfs subvolume list" from the mountpoint instead of
the volume path, which for some users is not below --restrict-path. As
the output of "btrfs subvolume list" is the same (complete btrfs tree
for the filesystem), it is ok to ignore the restrict-path here.
Dropped readin of subvolid and realpath by btrfs_subvolume_show(), we
now always read /proc/self/mounts (and call readlink).
When picking the best common parent in get_best_parent(), we want to
list as many snapshots as possible. For now, we list all from the
mountpoint of snaproot ($sroot/<snapshot_dir>), due to a bug in
btrfs-progs [1]. Also added code (commented out) to list snapshots
from all known mountpoints.
[1] https://github.com/kdave/btrfs-progs/issues/96
bugfix for: 796b6bd9bf
Replace realpath with readlink in allowed commands. Commit 796b6bd substituted readlink for realpath in file "btrbk"; this commit propagates the change to ssh_filter_btrbk.sh.
Christoph Anton Mitterer