From: "Austin S. Hemmelgarn" <ahferroin7@gmail.com>
To: linux-btrfs@vger.kernel.org, dsterba@suse.cz
Cc: "Austin S. Hemmelgarn" <ahferroin7@gmail.com>
Subject: [PATCH] btrfs-progs: better document btrfs receive security
Date: Fri, 3 Feb 2017 08:48:58 -0500 [thread overview]
Message-ID: <20170203134858.75210-1-ahferroin7@gmail.com> (raw)
This adds some extra documentation to the btrfs-receive manpage that
explains some of the security related aspects of btrfs-receive. The
first part covers the fact that the subvolume being received is writable
until the receive finishes, and the second covers the current lack of
sanity checking of the send stream.
Signed-off-by: Austin S. Hemmelgarn <ahferroin7@gmail.com>
---
Inspired by a recent thread on the ML.
This could probably be more thorough, but I felt it was more important
to get it documented as quickly as possible, and this should cover the
basic info that most people will care about.
Documentation/btrfs-receive.asciidoc | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/Documentation/btrfs-receive.asciidoc b/Documentation/btrfs-receive.asciidoc
index a6838e5e..1ada396f 100644
--- a/Documentation/btrfs-receive.asciidoc
+++ b/Documentation/btrfs-receive.asciidoc
@@ -68,6 +68,26 @@ dump the stream metadata, one line per operation
+
Does not require the 'path' parameter. The filesystem chanded.
+SECURITY
+--------
+Because of how *btrfs receive* works, subvolumes that are in the
+process of being received are writable. As a result of this, there
+is a possibility that a subvolume for which the receive operation just
+completed may not be identical to the originally sent subvolume.
+
+To avoid this in cases where more than one user may have access to the
+area the received subvolumes are being stored, it is reccommended to
+receive subvolumes into a staging area which is only accessible to the
+user who is running receive, and then move then into the final destination
+when the receive command completes.
+
+Additionally, receive does not currently do a very good job of validating
+that an incremental send streams actually makes sense, and it is thus
+possible for a specially crafted send stream to create a subvolume with
+reflinks to arbitrary files in the same filesystem. Because of this,
+users are advised to not use *btrfs receive* on send streams from
+untrusted sources.
+
EXIT STATUS
-----------
*btrfs receive* returns a zero exit status if it succeeds. Non zero is
--
2.11.0
next reply other threads:[~2017-02-03 13:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 13:48 Austin S. Hemmelgarn [this message]
2017-02-07 18:27 ` [PATCH] btrfs-progs: better document btrfs receive security David Sterba
2017-02-08 12:29 ` Austin S. Hemmelgarn
2017-02-08 12:55 ` David Sterba
2017-02-07 22:32 ` Kai Krakow
2017-02-07 22:40 ` Kai Krakow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170203134858.75210-1-ahferroin7@gmail.com \
--to=ahferroin7@gmail.com \
--cc=dsterba@suse.cz \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).