[PATCH] btrfs-progs: better document btrfs receive security

[PATCH] btrfs-progs: better document btrfs receive security

[Austin S. Hemmelgarn]

This adds some extra documentation to the btrfs-receive manpage that
explains some of the security related aspects of btrfs-receive.  The
first part covers the fact that the subvolume being received is writable
until the receive finishes, and the second covers the current lack of
sanity checking of the send stream.

Signed-off-by: Austin S. Hemmelgarn <ahferroin7@gmail.com>

---
Inspired by a recent thread on the ML.

This could probably be more thorough, but I felt it was more important
to get it documented as quickly as possible, and this should cover the
basic info that most people will care about.

 Documentation/btrfs-receive.asciidoc | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/Documentation/btrfs-receive.asciidoc b/Documentation/btrfs-receive.asciidoc
index a6838e5e..1ada396f 100644
--- a/Documentation/btrfs-receive.asciidoc
+++ b/Documentation/btrfs-receive.asciidoc
@@ -68,6 +68,26 @@ dump the stream metadata, one line per operation
 +
 Does not require the 'path' parameter. The filesystem chanded.
 
+SECURITY
+--------
+Because of how *btrfs receive* works, subvolumes that are in the
+process of being received are writable.  As a result of this, there
+is a possibility that a subvolume for which the receive operation just
+completed may not be identical to the originally sent subvolume.
+
+To avoid this in cases where more than one user may have access to the
+area the received subvolumes are being stored, it is reccommended to
+receive subvolumes into a staging area which is only accessible to the
+user who is running receive, and then move then into the final destination
+when the receive command completes.
+
+Additionally, receive does not currently do a very good job of validating
+that an incremental send streams actually makes sense, and it is thus
+possible for a specially crafted send stream to create a subvolume with
+reflinks to arbitrary files in the same filesystem.  Because of this,
+users are advised to not use *btrfs receive* on send streams from
+untrusted sources.
+
 EXIT STATUS
 -----------
 *btrfs receive* returns a zero exit status if it succeeds. Non zero is
-- 
2.11.0

Re: [PATCH] btrfs-progs: better document btrfs receive security

[David Sterba]

On Fri, Feb 03, 2017 at 08:48:58AM -0500, Austin S. Hemmelgarn wrote:
> This adds some extra documentation to the btrfs-receive manpage that
> explains some of the security related aspects of btrfs-receive.  The
> first part covers the fact that the subvolume being received is writable
> until the receive finishes, and the second covers the current lack of
> sanity checking of the send stream.
> 
> Signed-off-by: Austin S. Hemmelgarn <ahferroin7@gmail.com>

Applied, thanks.

Re: [PATCH] btrfs-progs: better document btrfs receive security

[Kai Krakow]

Am Fri,  3 Feb 2017 08:48:58 -0500
schrieb "Austin S. Hemmelgarn" <ahferroin7@gmail.com>:

> +user who is running receive, and then move then into the final
> destination                                 ^^^^

Typo? s/then/them/?

-- 
Regards,
Kai

Replies to list-only preferred.

Re: [PATCH] btrfs-progs: better document btrfs receive security

[Kai Krakow]

Am Fri,  3 Feb 2017 08:48:58 -0500
schrieb "Austin S. Hemmelgarn" <ahferroin7@gmail.com>:

> +that an incremental send streams actually makes sense, and it is thus
> +possible for a specially crafted send stream to create a subvolume

Sorry for the noise... Another one: shouldn't it say "sent
stream" (minus s) and "sent"?

-- 
Regards,
Kai

Replies to list-only preferred.

Re: [PATCH] btrfs-progs: better document btrfs receive security

[Austin S. Hemmelgarn]

On 2017-02-07 13:27, David Sterba wrote:
> On Fri, Feb 03, 2017 at 08:48:58AM -0500, Austin S. Hemmelgarn wrote:
>> This adds some extra documentation to the btrfs-receive manpage that
>> explains some of the security related aspects of btrfs-receive.  The
>> first part covers the fact that the subvolume being received is writable
>> until the receive finishes, and the second covers the current lack of
>> sanity checking of the send stream.
>>
>> Signed-off-by: Austin S. Hemmelgarn <ahferroin7@gmail.com>
>
> Applied, thanks.
>
Didn't get a chance to mention this yesterday, but it looks like you 
hadn't seen the updated version I sent on the third.  Message ID is:
<20170203193805.96977-1-ahferroin7@gmail.com>

The only significant difference is that I updated the description for 
the writablility issue using a much better description from Graham Cobb 
(with his permission of course).

If you want, I can send an incremental patch on top of the original to 
update just that description.

Re: [PATCH] btrfs-progs: better document btrfs receive security

[David Sterba]

On Wed, Feb 08, 2017 at 07:29:22AM -0500, Austin S. Hemmelgarn wrote:
> On 2017-02-07 13:27, David Sterba wrote:
> > On Fri, Feb 03, 2017 at 08:48:58AM -0500, Austin S. Hemmelgarn wrote:
> >> This adds some extra documentation to the btrfs-receive manpage that
> >> explains some of the security related aspects of btrfs-receive.  The
> >> first part covers the fact that the subvolume being received is writable
> >> until the receive finishes, and the second covers the current lack of
> >> sanity checking of the send stream.
> >>
> >> Signed-off-by: Austin S. Hemmelgarn <ahferroin7@gmail.com>
> >
> > Applied, thanks.
> >
> Didn't get a chance to mention this yesterday, but it looks like you 
> hadn't seen the updated version I sent on the third.  Message ID is:
> <20170203193805.96977-1-ahferroin7@gmail.com>

Ah sorry I missed that.

> The only significant difference is that I updated the description for 
> the writablility issue using a much better description from Graham Cobb 
> (with his permission of course).
> 
> If you want, I can send an incremental patch on top of the original to 
> update just that description.

No need to, I'll replace the patch with the latest version. Thanks.