diff --git a/.Jenkinsfile b/.Jenkinsfile index 0b3ae83..583a3ad 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -5,7 +5,7 @@ pipeline { agent { docker { image 'evolix/gbp:bullseye' - args '-u root --privileged -v /tmp:/tmp' + args '-u root --privileged' } } when { @@ -14,7 +14,7 @@ pipeline { steps { script { sh 'mk-build-deps --install --remove debian/control' - sh 'rm -rf source' + sh 'rm -rf {source,*.gz,*.bz2,*.xz,*.deb,*.dsc,*.changes,*.buildinfo,lintian.txt,.git}' sh "gbp clone --debian-branch=$GIT_BRANCH $GIT_URL source" sh 'cd source && git checkout $GIT_BRANCH && gbp buildpackage -us -uc' } @@ -29,8 +29,8 @@ pipeline { steps { script { sh 'echo Dummy line to remove once something actually happens.' - /* No crendentials yet - sh 'rsync -avP /tmp/bkctld/ droneci@pub.evolix.net:/home/droneci/bkctld/' + /* No crendentials yet. + sh 'rsync -avP bkctld* droneci@pub.evolix.net:/home/droneci/bkctld/' */ } } diff --git a/.drone.yml b/.drone.yml index cd183e5..97a9e97 100644 --- a/.drone.yml +++ b/.drone.yml @@ -15,9 +15,6 @@ steps: - mk-build-deps --install --remove debian/control - git clean --force - gbp buildpackage -us -uc - volumes: - - name: tmp - path: /tmp when: branch: - debian @@ -31,16 +28,8 @@ steps: key: from_secret: drone_private_key target: /home/droneci/bkctld/ - source: /tmp/bkctld/ + source: ../bkctld* delete: true - volumes: - - name: tmp - path: /tmp when: branch: - debian - -volumes: -- name: tmp - host: - path: /tmp diff --git a/server/CHANGELOG.md b/server/CHANGELOG.md index cf3a7e4..0c21896 100644 --- a/server/CHANGELOG.md +++ b/server/CHANGELOG.md @@ -18,6 +18,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security +## [22.07] - 2022-07-20 + +### Changed + +* check-setup: check minifirewall version only if minifirewall is present +* check-setup: get minifirewall version from internal variable (there is no other backward compatible way) +* check-setup: use findmnt with mountpoint instead of target + ## [22.06] - 2022-06-28 ### Added diff --git a/server/README.md b/server/README.md index 8ad80e7..9d93fa9 100644 --- a/server/README.md +++ b/server/README.md @@ -4,7 +4,7 @@ Bkctld (aka server-side evobackup) bkctld helps you manage the receiving side of a backup infrastructure. It is licensed under the AGPLv3. -With bkctld you create and manage "jails". They contain a chrooted and dedicated SSH server, with it's own TCP port and optionnaly it's own set of iptables rules. +With bkctld you create and manage "jails". They contain a chrooted and dedicated SSH server, with its own TCP port and optionally its own set of iptables rules. With bkctld you can have hundreds of jails, one for each client to push its data (using Rsync/SFTP). Each client can only see its own data. @@ -30,9 +30,7 @@ This volume can also be encrypted with **LUKS**. ## Security considerations -The client obviously has access to its uploaded data (in the chroot), but the timestamped copies are outside the chroot, to reduce the risk or complete backup erasure from a compromised client. - -Since the client connects to the backup server with root, it can mess with the jail and destroy the data. But the timestamped copies are out of reach because outside of the chroot. +The client obviously has access to its uploaded data (in the chroot), but the timestamped copies are outside the chroot, to reduce the risk of complete backup erasure from a compromised client. It means that **if the client server is compromised**, an attacker can destroy the latest copy of the backed up data, but not the timestamped copies. And **if the backup server is compromised** an attacker has complete access to all the backup data (inside and outside the jails), but they don't have any access to the client. @@ -77,6 +75,8 @@ vagrant@buster-btrfs $ sudo -i root@buster-btrfs # bats /vagrant/test/*.bats ~~~ +[comment]: <> (* pour vim) + You should shellcheck your bats files, but with shellcheck > 0.4.6, because the 0.4.0 version doesn't support bats syntax. ## Usage @@ -99,7 +99,7 @@ pandoc -f markdown \ #### Client configuration You can backup various systems in the evobackup jails : Linux, BSD, -Windows, macOS. The only need Rsync or an SFTP client. +Windows, macOS. The only need is Rsync or an SFTP client. ~~~ rsync -av -e "ssh -p SSH_PORT" /home/ root@SERVER_NAME:/var/backup/home/ diff --git a/server/lib/bkctld-check-setup b/server/lib/bkctld-check-setup index 8bbcda9..137c49c 100755 --- a/server/lib/bkctld-check-setup +++ b/server/lib/bkctld-check-setup @@ -16,7 +16,7 @@ output="" # Verify backup partition is mounted and writable -findmnt -O rw --target "${BACKUP_PARTITION}" > /dev/null +findmnt -O rw --mountpoint "${BACKUP_PARTITION}" > /dev/null if [ "$?" -ne 0 ]; then nb_crit=$((nb_crit + 1)) output="${output}CRITICAL - Backup disk \`/backup' is not mounted (or read-only) !\n" @@ -29,11 +29,12 @@ fi # Check if the firewall file is sourced minifirewall_config=/etc/default/minifirewall -minifirewall_version=$(/etc/init.d/minifirewall status | head -1 | cut -d ' ' -f 3) if [ -n "${FIREWALL_RULES}" ] \ && [ -r "${FIREWALL_RULES}" ] \ && [ -f "${minifirewall_config}" ]; then + minifirewall_version=$(grep -E -o "^VERSION=(\S+)" /etc/init.d/minifirewall | head -1 | cut -d '=' -f 2 | tr -d "'" | tr -d '"') + if [ -n "${minifirewall_version}" ] && dpkg --compare-versions "${minifirewall_version}" ge "22.03"; then # Minifirewall 22.03+ includes files automatically nb_ok=$((nb_ok + 1)) diff --git a/server/lib/includes b/server/lib/includes index 91321a3..3653c40 100755 --- a/server/lib/includes +++ b/server/lib/includes @@ -6,7 +6,7 @@ [ -f /etc/default/bkctld ] && . /etc/default/bkctld -VERSION="22.04" +VERSION="22.07" LIBDIR=${LIBDIR:-/usr/lib/bkctld} CONFDIR="${CONFDIR:-/etc/evobackup}"