Jailing BTRFS

Published 2021-12-01

A screenshot of the commands ls and clear not working in the jail but btrfs does

I've finally gotten around to fixing my backup system as for quite a while I haven't had functional backups (oops). I use btrfs for my root filesystem and really like the backup program btrbk as it's simple, makes use of btrfs' snaphotting features and just works.

Btrbk can use btrfs' built in send and receive commands to send snapshots over SSH to a remote machine. However btrbk needs to run the btrfs recieve command as root so that it can create files with the correct permissions. Whilst I'm sure btrbk is well designed and all, I still don't really want to give a perl script full root access on the backup machine.

That's when I remembered about those fancy jail things that BSD users keep raving about (<3 BSD users) and I have a little experience with chroot so I thought creating a jail like chroot envionment might be the solution. This way I can configure SSH to use the chroot for a user when they login, that way that user doesn't have access to the underlying root filesystem and I can control which tools and programs are available to the user.

So this is the script I came up with a lot of help from bholt's into to containers

#!/bin/sh

# Create an ssh jail for btrbk

JAIL=/var/jail

# Create root layout
mkdir -p $JAIL/backups
mkdir -p $JAIL/bin
mkdir -p $JAIL/dev
mkdir -p $JAIL/lib
mkdir -p $JAIL/proc
mkdir -p $JAIL/sbin
mkdir -p $JAIL/usr/bin
mkdir -p $JAIL/usr/lib

# Create devices
mknod -m 666 $JAIL/dev/null c 1 3

# Copy binaries
cp /bin/sh $JAIL/bin/
cp /bin/cat $JAIL/bin/
cp /sbin/btrfs $JAIL/sbin/
cp /usr/bin/readlink $JAIL/usr/bin/

# Copy required libraries
cp /lib/ld-musl-x86_64.so.1 $JAIL/lib/
cp /lib/libblkid.so.1 $JAIL/lib/
cp /lib/libuuid.so.1 $JAIL/lib/
cp /lib/libz.so.1 $JAIL/lib/
cp /usr/lib/liblzo2.so.2 $JAIL/usr/lib/
cp /usr/lib/libzstd.so.1 $JAIL/usr/lib/

# Mount proc
mount -t proc /proc $JAIL/proc

# Mount the data drive
mount --bind /media/data $JAIL/backups

See aforementioned guide for a more in-depth explanation but the basic run down is as follows

Create the directories required for a unix filesystem
Create the required /dev special devices (btrbk only needs /dev/null)
Mount /proc
Copy the binaries needed for btrbk into the places it expects to find them
Copy the libraries required for those binaries (which can be found using ldd) into their respective locations

It probably would be better to use hardlinks for the binaries and libraries as that way they can be easily updated by the package manager however for the particular system I'm deploying this on, this isn't an issue.

Security Issues

Whilst I'm sure there are many others (if you find one, feel free to let me know), there 2 main security problems which I can find

The backup data is accessible and could be modified
Processes outside the jail are available in /proc in the jail

The first problem is going to be an issue with almost any setup as the backup program needs access to the btrfs filesystem to manage the backups. Using SSH keys to prevent unauthorized people gaining access to the chroot in helps mitigate this.

The second problem is one I'm not sure how to best solve. If a bad actor were able to login, they would be able to access information about processes running outside the chroot environment (such as envrionment variables, command line arguments, etc.) from /proc, potentially leaking sensitive information. Whilst I'm sure there's a way to restrict what's available in /proc to only processes running in the chroot, more research is required (if anyone can link me to any relevant resources it would be appreciated).