Jailing BTRFS

A screenshot of the commands ls and clear not working in the jail but btrfs does

I've finally gotten around to fixing my backup system as for quite a while I haven't had functional backups (oops). I use btrfs for my root filesystem and really like the backup program btrbk [1] as it's simple, makes use of btrfs' snaphotting features and just works.

Btrbk can use btrfs' built in send and receive commands to send snapshots over SSH to a remote machine. However btrbk needs to run the btrfs recieve command as root so that it can create files with the correct permissions. Whilst I'm sure btrbk is well designed and all, I still don't really want to give a perl script full root access on the backup machine.

That's when I remembered about those fancy jail things that BSD users keep raving about (<3 BSD users) and I have a little experience with chroot so I thought creating a jail like chroot envionment might be the solution. This way I can configure SSH to use the chroot for a user when they login, that way that user doesn't have access to the underlying root filesystem and I can control which tools and programs are available to the user.

So this is the script I came up with a lot of help from [2]


	# Create an ssh jail for btrbk


	# Create root layout
	mkdir -p $JAIL/backups
	mkdir -p $JAIL/bin
	mkdir -p $JAIL/dev
	mkdir -p $JAIL/lib
	mkdir -p $JAIL/proc
	mkdir -p $JAIL/sbin
	mkdir -p $JAIL/usr/bin
	mkdir -p $JAIL/usr/lib

	# Create devices
	mknod -m 666 $JAIL/dev/null c 1 3

	# Copy binaries
	cp /bin/sh $JAIL/bin/
	cp /bin/cat $JAIL/bin/
	cp /sbin/btrfs $JAIL/sbin/
	cp /usr/bin/readlink $JAIL/usr/bin/

	# Copy required libraries
	cp /lib/ld-musl-x86_64.so.1 $JAIL/lib/
	cp /lib/libblkid.so.1 $JAIL/lib/
	cp /lib/libuuid.so.1 $JAIL/lib/
	cp /lib/libz.so.1 $JAIL/lib/
	cp /usr/lib/liblzo2.so.2 $JAIL/usr/lib/
	cp /usr/lib/libzstd.so.1 $JAIL/usr/lib/

	# Mount proc
	mount -t proc /proc $JAIL/proc

	# Mount the data drive
	mount --bind /media/data $JAIL/backups

See [2] for a more in-depth explanation but the basic run down is as follows

It probably would be better to use hardlinks for the binaries and libraries as that way they can be easily updated by the package manager however for the particular system I'm deploying this on, this isn't an issue.

Security Issues

Whilst I'm sure there are many others (if you find one, feel free to let me know), there 2 main security problems which I can find

  1. The backup data is accessible and could be modified
  2. Processes outside the jail are available in /proc in the jail

The first problem is going to be an issue with almost any setup as the backup program needs access to the btrfs filesystem to manage the backups. Using SSH keys to prevent unauthorized people gaining access to the chroot in helps mitigate this.

The second problem is one I'm not sure how to best solve. If a bad actor were able to login, they would be able to access information about processes running outside the chroot environment (such as envrionment variables, command line arguments, etc.) from /proc, potentially leaking sensitive information. Whilst I'm sure there's a way to restrict what's available in /proc to only processes running in the chroot, more research is required (if anyone can link me to any relevant resources it would be appreciated).


  1. https://digint.ch/btrbk/
  2. https://btholt.github.io/complete-intro-to-containers/chroot