search

digint / btrbk

Tool for creating snapshots and remote backups of btrfs subvolumes
https://digint.ch/btrbk/
GNU General Public License v3.0
1.7k stars 123 forks source link

ssh_filter_btrbk rejects legit command #424

Closed iameru closed 3 years ago

iameru commented 3 years ago

hello there. First of all, many thanks for this amazing piece of helpful software.

3 weeks ago I've been super happy to have this amazing btrbk solution also send backups via ssh.

Then it broke fast. After trying out for some hours and having no clue why here is my post.

This is the Error I get for each snapshot I want to backup from every mashine I use (2 mashines back up to this server)

WARNING: ... ssh_filter_btrbk.sh: ssh command rejected: disallowed command (restrict-path: "/backup/mashine1"): sudo -n btrfs subvolume list -a -c -u -q -R /backup

I get this error with variations, depending on if I set restrict path at all or not in the authorized_keys

this is a .authorized_keys entry:

root@server:~# cat /backup/.ssh/authorized_keys
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info --delete --restrict-path /backup/mashine1 --sudo" ssh-ed25519 KEYKEYKEY[.......] root@mashine1

Some alternatives i tried:

command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info --delete --restrict-path /backup/mashine1 --sudo", restrict ssh-ed25519 KEYKEYKEY[.......] root@mashine1
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info --delete --restrict-path /backup --sudo" ssh-ed25519 KEYKEYKEY[.......] root@mashine1
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh {every possible command}" ssh-ed25519 KEYKEYKEY[.......] root@mashine1

None got through.

It was pretty complicated to get ssh_filter_btrbk to run in the first place, now Im lost completely.

Im using server - btrbk 0.27.1 mashine1 - btrbk 0.31.3 mashine2 - btrbk 0.27.1

iameru commented 3 years ago

had some time to investigate again. seems like the arguments are not parsed correctly.

If I do it manually:

ssh btrbk@backup_server -i /root/.ssh/id_ed25519_noPW "sudo -n btrfs subvolume list -a -c -u -q -R /backup/mashine1"
ERROR: ssh_filter_btrbk.sh: ssh command rejected: disallowed command (restrict-path: "/backup/mashine1"): sudo -n btrfs subvolume list -a -c -u -q -R /backup/mashine1

but it succeeds when just doing:

ssh btrbk@backup_server -i /root/.ssh/id_ed25519_noPW "sudo -n btrfs subvolume list /backup/mashine1"
ID XXX gen XXX [...lengthy list of subvolumes...]
iameru commented 3 years ago

so in the script itself on line 165 it had no placeholders, instead the arguments got sucked up in ${file_match}. This is where it was wrong. I then looked up the current version of ssh_filter_btrbk.sh and this new version works. So we I will close this issue as this was / is apparently an issue of 0.27.1 (which is the latest in the debian repos so others might have this issue too, but still).