From bdb84e809f9cdba04a7530be1d111d1df3fcf7f0 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 29 Jun 2022 13:41:31 +0200 Subject: [PATCH 1/8] =?UTF-8?q?CI:=20Don=E2=80=99t=20rely=20on=20/tmp?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit /tmp is mounted noexec, so can’t be used to run scripts. --- .Jenkinsfile | 6 +++--- .drone.yml | 13 +------------ 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/.Jenkinsfile b/.Jenkinsfile index 0b3ae83..6cabf61 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -5,7 +5,7 @@ pipeline { agent { docker { image 'evolix/gbp:bullseye' - args '-u root --privileged -v /tmp:/tmp' + args '-u root --privileged' } } when { @@ -29,8 +29,8 @@ pipeline { steps { script { sh 'echo Dummy line to remove once something actually happens.' - /* No crendentials yet - sh 'rsync -avP /tmp/bkctld/ droneci@pub.evolix.net:/home/droneci/bkctld/' + /* No crendentials yet. + sh 'rsync -avP bkctld* droneci@pub.evolix.net:/home/droneci/bkctld/' */ } } diff --git a/.drone.yml b/.drone.yml index cd183e5..97a9e97 100644 --- a/.drone.yml +++ b/.drone.yml @@ -15,9 +15,6 @@ steps: - mk-build-deps --install --remove debian/control - git clean --force - gbp buildpackage -us -uc - volumes: - - name: tmp - path: /tmp when: branch: - debian @@ -31,16 +28,8 @@ steps: key: from_secret: drone_private_key target: /home/droneci/bkctld/ - source: /tmp/bkctld/ + source: ../bkctld* delete: true - volumes: - - name: tmp - path: /tmp when: branch: - debian - -volumes: -- name: tmp - host: - path: /tmp From 7901fd1950dc3a36ca8778cb567393d8fa818380 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 29 Jun 2022 14:03:03 +0200 Subject: [PATCH 2/8] Jenkins CI: Improve clean up --- .Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.Jenkinsfile b/.Jenkinsfile index 6cabf61..a8de7f2 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -14,7 +14,7 @@ pipeline { steps { script { sh 'mk-build-deps --install --remove debian/control' - sh 'rm -rf source' + sh 'rm -rf {source,*.gz,*.bz2,*.xz,*.deb,*.dsc,*.changes,*.buildinfo,lintian.txt}' sh "gbp clone --debian-branch=$GIT_BRANCH $GIT_URL source" sh 'cd source && git checkout $GIT_BRANCH && gbp buildpackage -us -uc' } From ba4629bee70553bd572bfbc3d0be9610677b1597 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 30 Jun 2022 15:53:39 +0200 Subject: [PATCH 3/8] server/README.md: tfix --- server/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/server/README.md b/server/README.md index 8ad80e7..9d93fa9 100644 --- a/server/README.md +++ b/server/README.md @@ -4,7 +4,7 @@ Bkctld (aka server-side evobackup) bkctld helps you manage the receiving side of a backup infrastructure. It is licensed under the AGPLv3. -With bkctld you create and manage "jails". They contain a chrooted and dedicated SSH server, with it's own TCP port and optionnaly it's own set of iptables rules. +With bkctld you create and manage "jails". They contain a chrooted and dedicated SSH server, with its own TCP port and optionally its own set of iptables rules. With bkctld you can have hundreds of jails, one for each client to push its data (using Rsync/SFTP). Each client can only see its own data. @@ -30,9 +30,7 @@ This volume can also be encrypted with **LUKS**. ## Security considerations -The client obviously has access to its uploaded data (in the chroot), but the timestamped copies are outside the chroot, to reduce the risk or complete backup erasure from a compromised client. - -Since the client connects to the backup server with root, it can mess with the jail and destroy the data. But the timestamped copies are out of reach because outside of the chroot. +The client obviously has access to its uploaded data (in the chroot), but the timestamped copies are outside the chroot, to reduce the risk of complete backup erasure from a compromised client. It means that **if the client server is compromised**, an attacker can destroy the latest copy of the backed up data, but not the timestamped copies. And **if the backup server is compromised** an attacker has complete access to all the backup data (inside and outside the jails), but they don't have any access to the client. @@ -77,6 +75,8 @@ vagrant@buster-btrfs $ sudo -i root@buster-btrfs # bats /vagrant/test/*.bats ~~~ +[comment]: <> (* pour vim) + You should shellcheck your bats files, but with shellcheck > 0.4.6, because the 0.4.0 version doesn't support bats syntax. ## Usage @@ -99,7 +99,7 @@ pandoc -f markdown \ #### Client configuration You can backup various systems in the evobackup jails : Linux, BSD, -Windows, macOS. The only need Rsync or an SFTP client. +Windows, macOS. The only need is Rsync or an SFTP client. ~~~ rsync -av -e "ssh -p SSH_PORT" /home/ root@SERVER_NAME:/var/backup/home/ From f0581fee47951a68f899939de38a0fefe5fac1e4 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 11 Jul 2022 14:39:50 +0200 Subject: [PATCH 4/8] CI: Drop .git directory that was not present during first build --- .Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.Jenkinsfile b/.Jenkinsfile index a8de7f2..583a3ad 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -14,7 +14,7 @@ pipeline { steps { script { sh 'mk-build-deps --install --remove debian/control' - sh 'rm -rf {source,*.gz,*.bz2,*.xz,*.deb,*.dsc,*.changes,*.buildinfo,lintian.txt}' + sh 'rm -rf {source,*.gz,*.bz2,*.xz,*.deb,*.dsc,*.changes,*.buildinfo,lintian.txt,.git}' sh "gbp clone --debian-branch=$GIT_BRANCH $GIT_URL source" sh 'cd source && git checkout $GIT_BRANCH && gbp buildpackage -us -uc' } From aef2637c1e72ec3fabfb0c1b90145d294d93e9dd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Jul 2022 13:43:33 +0200 Subject: [PATCH 5/8] check-setup: get minifirewall version from internal variable there is no other backward compatible way : * really old version don't have a know version * some versions used to display the version on each command, but it is removed. * the VERSION variable seems to be the most forward-compatible way --- server/CHANGELOG.md | 2 ++ server/lib/bkctld-check-setup | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/server/CHANGELOG.md b/server/CHANGELOG.md index cf3a7e4..ccc06fc 100644 --- a/server/CHANGELOG.md +++ b/server/CHANGELOG.md @@ -10,6 +10,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed +* check-setup: get minifirewall version from internal variable (there is no other backward compatible way) + ### Deprecated ### Removed diff --git a/server/lib/bkctld-check-setup b/server/lib/bkctld-check-setup index 8bbcda9..5f9983a 100755 --- a/server/lib/bkctld-check-setup +++ b/server/lib/bkctld-check-setup @@ -29,7 +29,7 @@ fi # Check if the firewall file is sourced minifirewall_config=/etc/default/minifirewall -minifirewall_version=$(/etc/init.d/minifirewall status | head -1 | cut -d ' ' -f 3) +minifirewall_version=$(grep -E -o "^VERSION=(\S+)" /etc/init.d/minifirewall | head -1 | cut -d '=' -f 2 | tr -d "'" | tr -d '"') if [ -n "${FIREWALL_RULES}" ] \ && [ -r "${FIREWALL_RULES}" ] \ From 1891c98f57556ad99c35c5556141cade26416ac4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Jul 2022 14:23:13 +0200 Subject: [PATCH 6/8] check-setup: use findmnt with mountpoint instead of target --- server/lib/bkctld-check-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/lib/bkctld-check-setup b/server/lib/bkctld-check-setup index 5f9983a..6e8ac21 100755 --- a/server/lib/bkctld-check-setup +++ b/server/lib/bkctld-check-setup @@ -16,7 +16,7 @@ output="" # Verify backup partition is mounted and writable -findmnt -O rw --target "${BACKUP_PARTITION}" > /dev/null +findmnt -O rw --mountpoint "${BACKUP_PARTITION}" > /dev/null if [ "$?" -ne 0 ]; then nb_crit=$((nb_crit + 1)) output="${output}CRITICAL - Backup disk \`/backup' is not mounted (or read-only) !\n" From a3ca2f0f68e66c221d1a615522157532fb475ebf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Jul 2022 14:24:12 +0200 Subject: [PATCH 7/8] check-setup: check minifirewall version only if minifirewall is present --- server/lib/bkctld-check-setup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/lib/bkctld-check-setup b/server/lib/bkctld-check-setup index 6e8ac21..137c49c 100755 --- a/server/lib/bkctld-check-setup +++ b/server/lib/bkctld-check-setup @@ -29,11 +29,12 @@ fi # Check if the firewall file is sourced minifirewall_config=/etc/default/minifirewall -minifirewall_version=$(grep -E -o "^VERSION=(\S+)" /etc/init.d/minifirewall | head -1 | cut -d '=' -f 2 | tr -d "'" | tr -d '"') if [ -n "${FIREWALL_RULES}" ] \ && [ -r "${FIREWALL_RULES}" ] \ && [ -f "${minifirewall_config}" ]; then + minifirewall_version=$(grep -E -o "^VERSION=(\S+)" /etc/init.d/minifirewall | head -1 | cut -d '=' -f 2 | tr -d "'" | tr -d '"') + if [ -n "${minifirewall_version}" ] && dpkg --compare-versions "${minifirewall_version}" ge "22.03"; then # Minifirewall 22.03+ includes files automatically nb_ok=$((nb_ok + 1)) From e7b7f50d9dee811b1756d9db72d00ee131b02d1f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Jul 2022 14:31:22 +0200 Subject: [PATCH 8/8] server: release 22.07 --- server/CHANGELOG.md | 10 ++++++++-- server/lib/includes | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/server/CHANGELOG.md b/server/CHANGELOG.md index ccc06fc..0c21896 100644 --- a/server/CHANGELOG.md +++ b/server/CHANGELOG.md @@ -10,8 +10,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed -* check-setup: get minifirewall version from internal variable (there is no other backward compatible way) - ### Deprecated ### Removed @@ -20,6 +18,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security +## [22.07] - 2022-07-20 + +### Changed + +* check-setup: check minifirewall version only if minifirewall is present +* check-setup: get minifirewall version from internal variable (there is no other backward compatible way) +* check-setup: use findmnt with mountpoint instead of target + ## [22.06] - 2022-06-28 ### Added diff --git a/server/lib/includes b/server/lib/includes index 91321a3..3653c40 100755 --- a/server/lib/includes +++ b/server/lib/includes @@ -6,7 +6,7 @@ [ -f /etc/default/bkctld ] && . /etc/default/bkctld -VERSION="22.04" +VERSION="22.07" LIBDIR=${LIBDIR:-/usr/lib/bkctld} CONFDIR="${CONFDIR:-/etc/evobackup}"