Closed calestyo closed 1 year ago
I hadn't seen that this already exists with ssh_filter_btrbk.sh
... π
Wasn't mentioned in the manpages... so I noticed only now. π
Thus closing.
I hadn't seen that this already exists with
ssh_filter_btrbk.sh
... πWasn't mentioned in the manpages... so I noticed only now. π
Thus closing.
Linking instructions here for posterity: https://github.com/digint/btrbk#restrict-commands-with-ssh_filter_btrbksh-optional
Hey.
A nice idea for hardening would be if there was a supported command wrapper script for the remote side.
The
authorized_keys
file would then read something like:regardless of what the accessing remote side would (try to) execute as command... it would be that command that was executed.
The
btrbk-ssh-command-warpper
would in turn call the the right remote command (e.g.btrfs receive
)... of course it must do this carefully in order not to allow code injection (e.g. when it's a shell script).Now obviously some information would need to be passed from
btrbk
to that wrapper, e.g. the path of the remote subvolume, or whether this issend-receive
orraw
mode, etc..These could be passed via environment variables, which
sshd
would need to accept (viaAcceptEnv
).A good protection, would however require more, namely, that the remote side itself can specify what is allowed to be done.
This could IMO be done via command line parameters to the
btrbk-ssh-command-warpper
in theauthorized_keys
file, e.g.The
--receive-only
would forbid to callbtrfs send
or any other commands thanbtrfs receive
on the remote side, preventing that a rogue server could fetch subvolumes from the remote side. The--receive-in /mnt/backups
, would specify, that it must bes received in that path (perhaps multiple allowed)... I guess some prefix matching would need to be done there.The same could be done for the
btrfs send
(when the server pulls from the remote side).Similar restrictions could be made for
raw
mode.One could also fold the
--receive-in path
,--send-from path
and some similar option forraw
mode in one option (--pathname
), and then allow only one of--receive-only
,--send-only
... and if people want to do both per server, they'd need to use different ssh keys (and thus commands).Many more features could be added in the future, e.g. the wrapper having some option that denies
receive
when the disk usage of the target location has exceeded some quota, or when e.g. the fs has less than 10% free space.Cheers, Chris.