Jailing BTRFS
Published 2021-12-01
I've finally gotten around to fixing my backup system as for quite a while I haven't had functional backups (oops). I use btrfs for my root filesystem and really like the backup program btrbk as it's simple, makes use of btrfs' snaphotting features and just works.
Btrbk can use btrfs' built in send and receive commands to send snapshots over SSH to a remote machine. However btrbk needs to run the btrfs recieve command as root so that it can create files with the correct permissions. Whilst I'm sure btrbk is well designed and all, I still don't really want to give a perl script full root access on the backup machine.
That's when I remembered about those fancy jail things that BSD users keep raving about (<3 BSD users) and I have a little experience with chroot so I thought creating a jail like chroot envionment might be the solution. This way I can configure SSH to use the chroot for a user when they login, that way that user doesn't have access to the underlying root filesystem and I can control which tools and programs are available to the user.
So this is the script I came up with a lot of help from bholt's into to containers
#!/bin/sh
# Create an ssh jail for btrbk
JAIL=/var/jail
# Create root layout
mkdir -p $JAIL/backups
mkdir -p $JAIL/bin
mkdir -p $JAIL/dev
mkdir -p $JAIL/lib
mkdir -p $JAIL/proc
mkdir -p $JAIL/sbin
mkdir -p $JAIL/usr/bin
mkdir -p $JAIL/usr/lib
# Create devices
mknod -m 666 $JAIL/dev/null c 1 3
# Copy binaries
cp /bin/sh $JAIL/bin/
cp /bin/cat $JAIL/bin/
cp /sbin/btrfs $JAIL/sbin/
cp /usr/bin/readlink $JAIL/usr/bin/
# Copy required libraries
cp /lib/ld-musl-x86_64.so.1 $JAIL/lib/
cp /lib/libblkid.so.1 $JAIL/lib/
cp /lib/libuuid.so.1 $JAIL/lib/
cp /lib/libz.so.1 $JAIL/lib/
cp /usr/lib/liblzo2.so.2 $JAIL/usr/lib/
cp /usr/lib/libzstd.so.1 $JAIL/usr/lib/
# Mount proc
mount -t proc /proc $JAIL/proc
# Mount the data drive
mount --bind /media/data $JAIL/backups
See aforementioned guide for a more in-depth explanation but the basic run down is as follows
- Create the directories required for a unix filesystem
- Create the required
/dev
special devices (btrbk only needs/dev/null
) - Mount
/proc
- Copy the binaries needed for btrbk into the places it expects to find them
- Copy the libraries required for those binaries (which can be found using
ldd
) into their respective locations
It probably would be better to use hardlinks for the binaries and libraries as that way they can be easily updated by the package manager however for the particular system I'm deploying this on, this isn't an issue.
Security Issues
Whilst I'm sure there are many others (if you find one, feel free to let me know), there 2 main security problems which I can find
- The backup data is accessible and could be modified
- Processes outside the jail are available in
/proc
in the jail
The first problem is going to be an issue with almost any setup as the backup program needs access to the btrfs filesystem to manage the backups. Using SSH keys to prevent unauthorized people gaining access to the chroot in helps mitigate this.
The second problem is one I'm not sure how to best solve. If a bad actor were
able to login, they would be able to access information about processes running
outside the chroot environment (such as envrionment variables, command line
arguments, etc.) from /proc
, potentially leaking sensitive information.
Whilst I'm sure there's a way to restrict what's available in /proc
to only
processes running in the chroot, more research is required (if anyone can link
me to any relevant resources it would be appreciated).