Man page - ssh_filter_btrbk(1)

Packages contains this manual

Package:  btrbk
apt-get install btrbk

Manuals in package:
• ssh_filter_btrbk(1)
• btrbk(1)
• lsbtr(1)
• btrbk.conf(5)
Documentations in package:
• btrbk

Manual

SSH_FILTER_BTRBK

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
AVAILABILITY
SEE ALSO
AUTHOR

---

NAME

ssh_filter_btrbk - ssh command filter script for btrbk

SYNOPSIS

ssh_filter_btrbk.sh [-s|--source] [-t|--target] [-d|--delete]
[-i|--info] [--snapshot] [--send] [--receive]
[-p|--restrict-path <path>] [-l|--log] [--sudo]

DESCRIPTION

ssh_filter_btrbk.sh restricts SSH commands to commands used by btrbk . It examines the SSH_ORIGINAL_COMMAND environment variable (set by sshd) and executes it only if it contains commands used by btrbk .

The accepted commands are specified by the "--source", "--target", "--delete" and "--info" options.

The following commands are always allowed:

• "btrfs subvolume show" (not affected by "--restrict-path")

• "btrfs subvolume list" (not affected by "--restrict-path")

• "readlink"

• "test -d" (only if "compat busybox" configuration option is set)

• "cat /proc/self/mountinfo"

• pipes through "gzip", "pigz", "bzip2", "pbzip2", "bzip3", "xz", "lzop", "lz4", "zstd" (stream_compress)

• pipes through "mbuffer" (stream_buffer, rate_limit)

Example line in /root/.ssh/authorized_keys on a backup target host:

command="ssh_filter_btrbk.sh --target --delete --restrict-path /mnt/btr_backup",restrict ssh-rsa AAAAB3NzaC1...hwumXFRQBL btrbk@example.org

OPTIONS

-s, --source

Allow commands for backup source: "btrfs subvolume snapshot", "btrfs send". Equivalent to "--snapshot --send".

-t, --target

Allow commands for backup and archive target: "btrfs receive", "mkdir".

-d, --delete

Allow commands for subvolume deletion: "btrfs subvolume delete". This is used for backup source if snapshot_preserve_daily is not set to “all”, and for backup targets if target_preserve_daily is not set to “all”.

-i, --info

Allow informative commands: "btrfs subvolume find-new", "btrfs filesystem usage". This is used by btrbk info and diff commands.

--snapshot

Allow btrfs snapshot command: "btrfs subvolume snapshot".

--send

Allow btrfs send command: "btrfs send".

--receive

Allow btrfs receive command: "btrfs receive".

-p, --restrict-path <path>

Restrict commands to <path>. Note that "btrfs subvolume show", "btrfs subvolume list" are NOT affected by this option.

It is not possible to restrict commands to exact subvolume names, as btrfs-receive(8) takes a <path> as argument (directory, not including the subvolume file name to be created, this is encoded in the send-stream).

-l, --log

Log ACCEPT and REJECT messages to the system log.

--sudo

Allow btrfs commands to be called via sudo. Enable this if you have "backend btrfs-progs-sudo" in your btrbk configuration file.

AVAILABILITY

Please refer to the btrbk project page <https://digint.ch/btrbk/> for further details.

SEE ALSO

btrbk (1), btrbk.conf (5), btrfs (8)

AUTHOR

Axel Burri <axel@tty0.ch>

---