I've finally gotten around to fixing my backup system as for quite a while I haven't had functional backups (oops). I use btrfs for my root filesystem and really like the backup program btrbk [1] as it's simple, makes use of btrfs' snaphotting features and just works.
Btrbk can use btrfs' built in send and receive commands to send snapshots over SSH to a remote machine. However btrbk needs to run the btrfs recieve command as root so that it can create files with the correct permissions. Whilst I'm sure btrbk is well designed and all, I still don't really want to give a perl script full root access on the backup machine.
That's when I remembered about those fancy jail things that BSD users keep raving about (<3 BSD users) and I have a little experience with chroot so I thought creating a jail like chroot envionment might be the solution. This way I can configure SSH to use the chroot for a user when they login, that way that user doesn't have access to the underlying root filesystem and I can control which tools and programs are available to the user.
So this is the script I came up with a lot of help from [2]
#!/bin/sh
# Create an ssh jail for btrbk
JAIL=/var/jail
# Create root layout
mkdir -p $JAIL/backups
mkdir -p $JAIL/bin
mkdir -p $JAIL/dev
mkdir -p $JAIL/lib
mkdir -p $JAIL/proc
mkdir -p $JAIL/sbin
mkdir -p $JAIL/usr/bin
mkdir -p $JAIL/usr/lib
# Create devices
mknod -m 666 $JAIL/dev/null c 1 3
# Copy binaries
cp /bin/sh $JAIL/bin/
cp /bin/cat $JAIL/bin/
cp /sbin/btrfs $JAIL/sbin/
cp /usr/bin/readlink $JAIL/usr/bin/
# Copy required libraries
cp /lib/ld-musl-x86_64.so.1 $JAIL/lib/
cp /lib/libblkid.so.1 $JAIL/lib/
cp /lib/libuuid.so.1 $JAIL/lib/
cp /lib/libz.so.1 $JAIL/lib/
cp /usr/lib/liblzo2.so.2 $JAIL/usr/lib/
cp /usr/lib/libzstd.so.1 $JAIL/usr/lib/
# Mount proc
mount -t proc /proc $JAIL/proc
# Mount the data drive
mount --bind /media/data $JAIL/backups
See [2] for a more in-depth explanation but the basic run down is as follows
/dev special devices (btrbk only
needs /dev/null)
/proc
ldd) into their respective locations
It probably would be better to use hardlinks for the binaries and libraries as that way they can be easily updated by the package manager however for the particular system I'm deploying this on, this isn't an issue.
Whilst I'm sure there are many others (if you find one, feel free to let me know), there 2 main security problems which I can find
/proc in
the jail
The first problem is going to be an issue with almost any setup as the backup program needs access to the btrfs filesystem to manage the backups. Using SSH keys to prevent unauthorized people gaining access to the chroot in helps mitigate this.
The second problem is one I'm not sure how to best solve. If a bad
actor were able to login, they would be able to access information
about processes running outside the chroot environment (such as
envrionment variables, command line arguments, etc.) from
/proc, potentially leaking sensitive information. Whilst
I'm sure there's a way to restrict what's available in
/proc to only processes running in the chroot, more
research is required (if anyone can link me to any relevant resources
it would be appreciated).