New upstream version 22.07

.Jenkinsfile

@@ -5,7 +5,7 @@ pipeline {
             agent {
                 docker {
                     image 'evolix/gbp:bullseye'
-                    args '-u root --privileged -v /tmp:/tmp'
+                    args '-u root --privileged'
                 }
             }
             when {
@@ -14,7 +14,7 @@ pipeline {
             steps {
                 script {
                     sh 'mk-build-deps --install --remove debian/control'
-                    sh 'rm -rf source'
+                    sh 'rm -rf {source,*.gz,*.bz2,*.xz,*.deb,*.dsc,*.changes,*.buildinfo,lintian.txt,.git}'
                     sh "gbp clone --debian-branch=$GIT_BRANCH $GIT_URL source"
                     sh 'cd source && git checkout $GIT_BRANCH && gbp buildpackage -us -uc'
                 }
@@ -29,8 +29,8 @@ pipeline {
             steps {
                 script {
                     sh 'echo Dummy line to remove once something actually happens.'
-                 /* No crendentials yet
-                    sh 'rsync -avP /tmp/bkctld/ droneci@pub.evolix.net:/home/droneci/bkctld/'
+                 /* No crendentials yet.
+                    sh 'rsync -avP bkctld* droneci@pub.evolix.net:/home/droneci/bkctld/'
                   */
                 }
             }

.drone.yml

@@ -15,9 +15,6 @@ steps:
   - mk-build-deps --install --remove debian/control
   - git clean --force
   - gbp buildpackage -us -uc
-  volumes:
-  - name: tmp
-    path: /tmp
   when:
     branch:
     - debian
@@ -31,16 +28,8 @@ steps:
     key:
       from_secret: drone_private_key
     target: /home/droneci/bkctld/
-    source: /tmp/bkctld/
+    source: ../bkctld*
     delete: true
-  volumes:
-  - name: tmp
-    path: /tmp
   when:
     branch:
     - debian
-
-volumes:
-- name: tmp
-  host:
-    path: /tmp

server/CHANGELOG.md

@@ -18,6 +18,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Security
 
+## [22.07] - 2022-07-20
+
+### Changed
+
+* check-setup: check minifirewall version only if minifirewall is present
+* check-setup: get minifirewall version from internal variable (there is no other backward compatible way)
+* check-setup: use findmnt with mountpoint instead of target
+
 ## [22.06] - 2022-06-28
 
 ### Added

server/README.md

@@ -4,7 +4,7 @@ Bkctld (aka server-side evobackup)
 bkctld helps you manage the receiving side of a backup infrastructure.
 It is licensed under the AGPLv3.
 
-With bkctld you create and manage "jails". They contain a chrooted and dedicated SSH server, with it's own TCP port and optionnaly it's own set of iptables rules.
+With bkctld you create and manage "jails". They contain a chrooted and dedicated SSH server, with its own TCP port and optionally its own set of iptables rules.
 
 With bkctld you can have hundreds of jails, one for each client to push its data (using Rsync/SFTP). Each client can only see its own data.
 
@@ -30,9 +30,7 @@ This volume can also be encrypted with **LUKS**.
 
 ## Security considerations
 
-The client obviously has access to its uploaded data (in the chroot), but the timestamped copies are outside the chroot, to reduce the risk or complete backup erasure from a compromised client.
-
-Since the client connects to the backup server with root, it can mess with the jail and destroy the data. But the timestamped copies are out of reach because outside of the chroot.
+The client obviously has access to its uploaded data (in the chroot), but the timestamped copies are outside the chroot, to reduce the risk of complete backup erasure from a compromised client.
 
 It means that **if the client server is compromised**, an attacker can destroy the latest copy of the backed up data, but not the timestamped copies.
 And **if the backup server is compromised** an attacker has complete access to all the backup data (inside and outside the jails), but they don't have any access to the client.
@@ -77,6 +75,8 @@ vagrant@buster-btrfs $ sudo -i
 root@buster-btrfs # bats /vagrant/test/*.bats
 ~~~
 
+[comment]: <> (* pour vim)
+
 You should shellcheck your bats files, but with shellcheck > 0.4.6, because the 0.4.0 version doesn't support bats syntax.
 
 ## Usage
@@ -99,7 +99,7 @@ pandoc -f markdown \
 #### Client configuration
 
 You can backup various systems in the evobackup jails : Linux, BSD,
-Windows, macOS. The only need Rsync or an SFTP client.
+Windows, macOS. The only need is Rsync or an SFTP client.
 
 ~~~
 rsync -av -e "ssh -p SSH_PORT" /home/ root@SERVER_NAME:/var/backup/home/

server/lib/bkctld-check-setup

@@ -16,7 +16,7 @@ output=""
 
 # Verify backup partition is mounted and writable
 
-findmnt -O rw --target "${BACKUP_PARTITION}" > /dev/null
+findmnt -O rw --mountpoint "${BACKUP_PARTITION}" > /dev/null
 if [ "$?" -ne 0 ]; then
     nb_crit=$((nb_crit + 1))
     output="${output}CRITICAL - Backup disk \`/backup' is not mounted (or read-only) !\n"
@@ -29,11 +29,12 @@ fi
 # Check if the firewall file is sourced
 
 minifirewall_config=/etc/default/minifirewall
-minifirewall_version=$(/etc/init.d/minifirewall status | head -1 | cut -d ' ' -f 3)
 
 if [ -n "${FIREWALL_RULES}" ] \
 && [ -r "${FIREWALL_RULES}" ] \
 && [ -f "${minifirewall_config}" ]; then
+    minifirewall_version=$(grep -E -o "^VERSION=(\S+)" /etc/init.d/minifirewall | head -1 | cut -d '=' -f 2 | tr -d "'" | tr -d '"')
+
     if [ -n "${minifirewall_version}" ] && dpkg --compare-versions "${minifirewall_version}" ge "22.03"; then
         # Minifirewall 22.03+ includes files automatically
         nb_ok=$((nb_ok + 1))

server/lib/includes

@@ -6,7 +6,7 @@
 
 [ -f /etc/default/bkctld ] && . /etc/default/bkctld
 
-VERSION="22.04"
+VERSION="22.07"
 
 LIBDIR=${LIBDIR:-/usr/lib/bkctld}
 CONFDIR="${CONFDIR:-/etc/evobackup}"