#3379 PR open: New 'source' wrapper functions framework¶
Labels: severe improvement
jsmeix opened issue at 2025-01-13 15:55:¶
-
Type: Enhancement
-
Impact: High
May cause failures when ReaR sources third-party scripts
which source other scripts via '.' -
Reference to related issue (URL):
https://github.com/rear/rear/issues/3259 -
How was this pull request tested?
"rear mkbackup" and "rear recover" worked for me with
OUTPUT=ISO
BACKUP=NETFS
on a SLES15-SP6 default system
- in normal mode
- when on the original system ReaR is installed as normal RPM package
- when on the original system ReaR is a Git checkout as as root or normal user
-
in PORTABLE mode
- when on the original system ReaR is installed as normal RPM package
- when on the original system ReaR is a Git checkout as normal user
-
Description of the changes in this pull request:
In sbin/rear forbind sourcing via '.' and
in lib/_input-output-functions.sh implement a
'source' wrapper function that is intended to
implement trustworthy sourcing later
to improve security, see in general
https://relax-and-recover.org/documentation/security-architecture
and see
https://github.com/rear/rear/issues/3259
therein in particular
https://github.com/rear/rear/issues/3259#issuecomment-2385745545
jsmeix commented at 2025-01-15 16:50:¶
With latest changes via
https://github.com/rear/rear/pull/3379/commits/213cc8756011aca60114154aeffb9deee0e63bb4
"rear mkrescue" plus "rear mkbackuponly"
and then "rear recover" still works for me
on a Git checkout that I did as 'root'.
For running from a Git checkout also as non-root
I have already an alternative (commented out) in the code
function source () {
...
# Ensure source file owner is 'root' (unless we are running from checkout where REAR_DIR_PREFIX is set):
#test "$REAR_DIR_PREFIX" || is_owner_root "$source_file" || Error "Forbidden to 'source $source_file' because its owner is not 'root'"
# Ensure source file owner is 'root' (regardless whether or not we are running from checkout):
is_owner_root "$source_file" || Error "Forbidden to 'source $source_file' because its owner is not 'root'"
jsmeix commented at 2025-01-15 17:10:¶
The CI check
Build Packages / build (push) Failing
fails because of this
https://github.com/rear/rear/actions/runs/12793045489/job/35664918367?pr=3379
Run tools/run-in-docker $(<images) -- rear dump
********** ubuntu:20.04 **********
ERROR: Forbidden to 'source /rear/usr/share/rear/lib/array-functions.sh' because its owner is not 'root'
so I will change to the above commented out method in the code
because '/rear/usr/share/rear/lib/array-functions.sh' has
a '/rear' prefix directory so REAR_DIR_PREFIX should be non-empty
('/rear')
jsmeix commented at 2025-01-17 12:33:¶
For comparison (with 'set -x' added to sbin/rear):
ReaR's basic directories when running sbin/rear
from a normally installed package
(i.e. when ReaR's files are installed in '/'
so REAR_DIR_PREFIX is empty):
localhost:~ # /usr/sbin/rear -D help
+ REAR_DIR_PREFIX=
+++ type -p /usr/sbin/rear
++ readlink -f /usr/sbin/rear
+ readonly SCRIPT_FILE=/usr/sbin/rear
+ SCRIPT_FILE=/usr/sbin/rear
++ readlink -f /usr/sbin/rear
+ test /usr/sbin/rear '!=' /usr/sbin/rear
+ readonly REAR_DIR_PREFIX
+ SHARE_DIR=/usr/share/rear
+ CONFIG_DIR=/etc/rear
+ VAR_DIR=/var/lib/rear
+ LOG_DIR=/var/log/rear
+ DISKLAYOUT_FILE=/var/lib/rear/layout/disklayout.conf
+ readonly TARGET_FS_ROOT=/mnt/local
+ TARGET_FS_ROOT=/mnt/local
...
versus
ReaR's basic directories when running sbin/rear
from a Git checkout
(i.e. when ReaR's files are installed in '/some/path/'
so REAR_DIR_PREFIX is non-empty '/some/path'):
localhost:~/rear.github.master-jsmeix-source-wrapper # usr/sbin/rear -D help
+ REAR_DIR_PREFIX=
+++ type -p usr/sbin/rear
++ readlink -f usr/sbin/rear
+ readonly SCRIPT_FILE=/root/rear.github.master-jsmeix-source-wrapper/usr/sbin/rear
+ SCRIPT_FILE=/root/rear.github.master-jsmeix-source-wrapper/usr/sbin/rear
++ readlink -f /usr/sbin/rear
+ test /root/rear.github.master-jsmeix-source-wrapper/usr/sbin/rear '!=' /usr/sbin/rear
+ REAR_DIR_PREFIX=/root/rear.github.master-jsmeix-source-wrapper
+ readonly REAR_DIR_PREFIX
+ SHARE_DIR=/root/rear.github.master-jsmeix-source-wrapper/usr/share/rear
+ CONFIG_DIR=/root/rear.github.master-jsmeix-source-wrapper/etc/rear
+ VAR_DIR=/root/rear.github.master-jsmeix-source-wrapper/var/lib/rear
+ LOG_DIR=/root/rear.github.master-jsmeix-source-wrapper/var/log/rear
++ pwd
+ readonly WORKING_DIR=/root/rear.github.master-jsmeix-source-wrapper
+ WORKING_DIR=/root/rear.github.master-jsmeix-source-wrapper
+ DISKLAYOUT_FILE=/root/rear.github.master-jsmeix-source-wrapper/var/lib/rear/layout/disklayout.conf
+ readonly TARGET_FS_ROOT=/mnt/local
+ TARGET_FS_ROOT=/mnt/local
...
jsmeix commented at 2025-01-20 07:13:¶
For comparison (with 'set -x' added to sbin/rear):
ReaR's basic directories
when running /bin/rear in the ReaR recovery system
when ReaR on the original system was a Git checkout:
RESCUE localhost:~ # rear help
+ REAR_DIR_PREFIX=
+++ type -p /bin/rear
++ readlink -f /bin/rear
+ readonly SCRIPT_FILE=/bin/rear
+ SCRIPT_FILE=/bin/rear
++ readlink -f /usr/sbin/rear
+ test /bin/rear '!=' /bin/rear
+ readonly REAR_DIR_PREFIX
+ SHARE_DIR=/usr/share/rear
+ CONFIG_DIR=/etc/rear
+ VAR_DIR=/var/lib/rear
+ LOG_DIR=/var/log/rear
++ pwd
+ readonly WORKING_DIR=/root
+ WORKING_DIR=/root
+ DISKLAYOUT_FILE=/var/lib/rear/layout/disklayout.conf
+ readonly TARGET_FS_ROOT=/mnt/local
+ TARGET_FS_ROOT=/mnt/local
so ReaR's basic directories in the ReaR recovery system
are always the same as on the original system
from a normally installed package
BUT
some of them are symlinks and others are not:
/usr/share/rear is a symbolic link to ../../rear/prefix/usr/share/rear
/etc/rear is a normal directory (no symbolic link to /rear/prefix/etc/rear)
/var/lib/rear is a symbolic link to ../../rear/prefix/var/lib/rear
/var/log/rear is a normal directory (no symbolic link to /rear/prefix/var/log/rear)
so the actual files in /usr/share/rear and /var/lib/rear
are under a prefix directory
except the actual files in /etc/rear and /var/log/rear
which are really in /etc/rear and /var/log/rear
so the empty REAR_DIR_PREFIX matches where the actual files
in CONFIG_DIR and LOG_DIR are but it does
neither match where the actual files in SHARE_DIR are
nor does REAR_DIR_PREFIX match where the actual files in VAR_DIR are.
jsmeix commented at 2025-01-20 08:43:¶
With the fixed is_trustworthy_path function in
https://github.com/rear/rear/pull/3379/commits/02b7bb82c642c699443531109508b787d1e9bb0b
the 'readlink -e' result is actually used and tested
so ReaR now fails as expected the ReaR recovery system
when ReaR on the original system was a Git checkout
RESCUE localhost:~ # rear -D help
ERROR: Forbidden to 'source /usr/share/rear/lib/array-functions.sh' because it is not below a trustworthy directory
because
RESCUE localhost:~ # readlink -e /usr/share/rear/lib/array-functions.sh
/root/rear.github.master-jsmeix-source-wrapper/usr/share/rear/lib/array-functions.sh
and because of REAR_DIR_PREFIX is empty in the ReaR recovery system
my ReaR prefix directory
/root/rear.github.master-jsmeix-source-wrapper
from my Git checkout on my original system
is not considered as a trustworthy path
within the ReaR recovery system.
I will have to find a proper solution for this...
jsmeix commented at 2025-01-20 09:40:¶
My recent
https://github.com/rear/rear/pull/3379/commits/6f4b89db52b7e67a5e34593fd5fad1594048ecf6
is a quick fix to get "rear recover" working for me
when ReaR on the original system was a Git checkout.
I will have to check more carefully if this is a proper solution.
I already notice that my current logic in that code looks weird
...
The next
https://github.com/rear/rear/pull/3379/commits/fedab89f569d8ca1c67be73d36b56866aa57ea1e
should be much better
I know that in my current code it is not ideal
that trustworthy_paths is determined for each call
of the is_trustworthy_path function but the
current code is still only a proof of concept
to find out how far such things work at all.
For the final solution trustworthy_paths could be
a global variable TRUSTWORTHY_PATHS probably even
a user config variable that gets set only once
e.g. if empty its default could be set in sbin/rear
and the is_trustworthy_path function only uses it.
jsmeix commented at 2025-01-21 13:39:¶
I tested my latest state here, i.e. up to
https://github.com/rear/rear/pull/3379/commits/3ec991a895977b5a02a69bde772d2bccbde844f8
Both "rear mkbackup" and "rear recover" work for me
when running 'rear' from a normally installed package
and also
when running 'sbin/rear' from a Git checkout which I did as root.
I will also test from a Git checkout which I did as non-root.
jsmeix commented at 2025-01-22 13:12:¶
I tested how it behaves from a Git checkout which I did as non-root.
Summary:
For me all "just worked out of the box".
Details:
How I made my Git checkout as normal non-root user 'johannes'
on a SLES15-SP6 virtual KVM/QEMU machine:
johannes@localhost:~> git clone https://github.com/rear/rear.git
johannes@localhost:~> mv rear rear.github.master-jsmeix-source-wrapper
johannes@localhost:~> cd rear.github.master-jsmeix-source-wrapper
johannes@localhost:~/rear.github.master-jsmeix-source-wrapper> git checkout -b jsmeix-source-wrapper remotes/origin/jsmeix-source-wrapper
johannes@localhost:~/rear.github.master-jsmeix-source-wrapper> vi etc/rear/local.conf
johannes@localhost:~/rear.github.master-jsmeix-source-wrapper> grep -v '^#' etc/rear/local.conf
OUTPUT=ISO
BACKUP=NETFS
BACKUP_OPTIONS="nfsvers=3,nolock"
BACKUP_URL=nfs://192.168.178.66/nfs
REQUIRED_PROGS+=( snapper chattr lsattr )
COPY_AS_IS+=( /usr/lib/snapper/installation-helper /etc/snapper/config-templates/default )
POST_RECOVERY_SCRIPT=( 'if snapper --no-dbus -r $TARGET_FS_ROOT get-config | grep -q "^QGROUP.*[0-9]/[0-9]" ; then snapper --no-dbus -r $TARGET_FS_ROOT set-config QGROUP= ; snapper --no-dbus -r $TARGET_FS_ROOT setup-quota && echo snapper setup-quota done || echo snapper setup-quota failed ; else echo snapper setup-quota not used ; fi' )
SSH_ROOT_PASSWORD="rear"
USE_DHCLIENT="yes"
FIRMWARE_FILES=( 'no' )
MODULES=( 'loaded_modules' )
PROGRESS_MODE="plain"
PROGRESS_WAIT_SECONDS="5"
How I did "rear mkrescue" and "rear mkbackuponly" as 'root'
inside the Git checkout directory:
johannes@localhost:~/rear.github.master-jsmeix-source-wrapper> su
Password: ...
localhost:/home/johannes/rear.github.master-jsmeix-source-wrapper # usr/sbin/rear -D mkrescue
...
Using log file: /home/johannes/rear.github.master-jsmeix-source-wrapper/var/log/rear/rear-localhost.log
...
["just worked"]
localhost:/home/johannes/rear.github.master-jsmeix-source-wrapper # grep 'Sourced files must be' var/log/rear/rear-localhost.30496.log
2025-01-22 12:40:07.209350458 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root johannes
2025-01-22 12:40:07.210857184 Sourced files must be below one of the TRUSTWORTHY_PATHS /home/johannes/rear.github.master-jsmeix-source-wrapper/ /usr/ /etc/ /lib/
localhost:/home/johannes/rear.github.master-jsmeix-source-wrapper # usr/sbin/rear -D mkbackuponly
...
Using log file: /home/johannes/rear.github.master-jsmeix-source-wrapper/var/log/rear/rear-localhost.30496.log
...
["just worked"]
localhost:/home/johannes/rear.github.master-jsmeix-source-wrapper # grep 'Sourced files must be' var/log/rear/rear-localhost.30496.log
2025-01-22 12:40:07.209350458 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root johannes
2025-01-22 12:40:07.210857184 Sourced files must be below one of the TRUSTWORTHY_PATHS /home/johannes/rear.github.master-jsmeix-source-wrapper/ /usr/ /etc/ /lib/
How I did "rear recover" on another virtual KVM/QEMU machine:
RESCUE localhost:~ # rear -D recover
...
Using log file: /var/log/rear/rear-localhost.log
...
["just worked"]
RESCUE localhost:~ # grep 'Sourced files must be' /var/log/rear/rear-localhost.log
2025-01-22 13:25:48.555124104 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root johannes
2025-01-22 13:25:48.557765237 Sourced files must be below one of the TRUSTWORTHY_PATHS /home/johannes/rear.github.master-jsmeix-source-wrapper/ /usr/ /etc/ /var/lib/rear/ /lib/
RESCUE localhost:~ # type -a rear
rear is /bin/rear
rear is /sbin/rear
RESCUE localhost:~ # readlink -e /bin/rear
/bin/rear
RESCUE localhost:~ # readlink -e /sbin/rear
/bin/rear
RESCUE localhost:~ # ls -l /bin/rear
-rwxr-xr-x 1 johannes users 46078 Jan 22 12:32 /bin/rear
RESCUE localhost:~ # readlink -e /usr/share/rear/lib/_input-output-functions.sh
/home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/lib/_input-output-functions.sh
RESCUE localhost:~ # ls -l /home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/lib/_input-output-functions.sh
-rw-r--r-- 1 johannes users 99574 Jan 22 12:32 /home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/lib/_input-output-functions.sh
jsmeix commented at 2025-01-22 13:15:¶
Next step is testing how it behaves in PORTABLE mode...
jsmeix commented at 2025-01-22 13:31:¶
For now in its current still "proof of concept" state here
I intentionally keep TRUSTWORTHY_OWNERS for files to be sourced
separated from the already existing TRUSTED_FILE_OWNERS for
trusted owners of files where RequiredSharedObjects calls ldd.
Later when things work sufficiently well for files to be sourced
I will think about to simplify it to two generic user config variables
in a separated second step which is independent of this pull request:
One for trusted owners and a second one for trusted paths for all
cases
where trustworthiness of files needs to be checked.
Because I do agree with
https://en.wikipedia.org/wiki/Trusted_computing_base#Trusted_vs._trustworthy
... the trusted computing base is "trusted"
first and foremost in the sense that it has to be trusted,
and not necessarily that it is trustworthy ...
I perfer the variable name TRUSTED_FILE_OWNERS over
TRUSTWORTHY_OWNERS
so the two generic user config variables will likely be named
TRUSTED_FILE_OWNERS and TRUSTED_FILE_PATHS because
in particular paths with huge contents like '/usr/' are "trusted"
first and foremost in the sense that it has to be trusted, and
not necessarily that it is trustworthy because in daily practice
it is hard (up to practically impossible for normal admins)
to continuously ensure that all files below '/usr/'
are always actually trustworthy.
Furthermore in particular for ReaR
TRUSTED_FILE_OWNERS and TRUSTED_FILE_PATHS mean that
from ReaR's point of view those files have to be trusted
and not necessarily that they are actually trustworthy,
i.e. ReaR will not implement verification code
that proves those files are actually trustworthy.
This makes ReaR behave same as usual other software, cf.
https://github.com/rear/rear/issues/3259#issuecomment-2385745545
which reads (excerpt)
... other software executes potentially untrusted code
all the time.
The shell executes commands that it finds
in essentially arbitrary directories.
The Python interpreter loads modules again
from essentially arbitrary directories.
The dynamic linker (ELF binary interpreter)
loads shared libraries from essentially
arbitrary directories and so on.
How are security issues prevented in these systems?
It is not by using any "same-author policy"
(no software I know about is doing that),
it is by controlling the set of directories
that the code can be loaded from.
The shell uses $PATH,
the Python interpreter sys.path,
the dynamic linker uses its defaults and the
directories configured in /etc/ld.so.conf and so on.
If any of these sets contain a world-writable directory,
the security impact is disastrous and it is a job
of the distribution and of the system administrator
to ensure that this is not the case.
In ReaR this is now implemented via TRUSTWORTHY_PATHS.
Additionally ReaR implements TRUSTWORTHY_OWNERS according to
https://relax-and-recover.org/documentation/security-architecture
which reads (excerpt)
To mitigate the risk of code injections,
the following checks are implemented:
...
When ReaR is installed properly and not run from source
or in portable mode, then we validate for example
that ReaR scripts and configuration files are owned by root
and are not writable by unprivileged users
or that the scripts are sourced from the ReaR scripts paths.
What this pull request does not implement
(and it is not intended to be implemented via this pull request)
is the
... files ... are not writable by unprivileged users
part - simply because I have currently no idea how to prove
that a file cannot be written by any unprivileged user
via any way (e.g. file permissions alone won't help when
the user could replace the whole directory by his copy).
This might be doable for traditional Unix permissions.
But I have currently no idea how to do it for ACLs
or whatever other advanced or weird things.
Also think about files on "weak" file systems that
do not support standard Unix permission settings.
Such advanced topics (which go far beyond what
other software does) should be implemented
via separated subsequent pull requests.
jsmeix commented at 2025-01-22 15:54:¶
I did my very first but not yet correct testing of PORTABLE mode:
I tested on a SLES15-SP6 virtual KVM/QEMU machine
with the default SLES btrfs structure
in a Git checkout as normal non-root user 'johannes', cf.
https://github.com/rear/rear/pull/3379#issuecomment-2607217184
Because currently "rear mkbackup" does not work
in PORTABLE mode - at lest not in my use case - I did
first "rear mkrescue" and then "rear mkbackuponly", cf.
https://github.com/rear/rear/issues/3384
To test "rear recover" in PORTABLE mode I booted
the ReaR recovery system ISO which I had already from
https://github.com/rear/rear/pull/3379#issuecomment-2607217184
because I do not have a non-ReaR rescue system and
with a ReaR rescue system I know I have all needed programs
so I don't need to bother with that because I only liked
to test the PORTABLE mode alone.
In the booted ReaR recovery system ISO I did
RESCUE localhost:~ # mount -t nfs -o nolock 192.168.178.66:/nfs/localhost.portable /nfs
to mount my NFS share where my localhost-portable.tar.gz is
and then I did
RESCUE localhost:~ # tar -xvf /nfs/localhost-portable.tar.gz
to untar the PORTABLE mode ReaR files and
finally I did
RESCUE localhost:~ # rear -D recover
...
Using log file: /var/log/rear/rear-localhost.log
...
which "just worked" for me.
BUT:
In its /var/log/rear/rear-localhost.log I see
2025-01-22 16:20:01.439869675 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root johannes
2025-01-22 16:20:01.442538730 Sourced files must be below one of the TRUSTWORTHY_PATHS /home/johannes/rear.github.master-jsmeix-source-wrapper/ /usr/ /etc/ /var/lib/rear/ /lib/
2025-01-22 16:20:01.445410746 Trustworthy sourcing '/usr/share/rear/lib/array-functions.sh'
2025-01-22 16:20:01.451235338 Trustworthy sourcing '/usr/share/rear/lib/authtoken-functions.sh'
...
2025-01-22 16:20:01.971160935 Trustworthy sourcing '/usr/share/rear/init/default/001_verify_config_arrays.sh'
...
++ readlink -e /usr/share/rear/init/default/001_verify_config_arrays.sh
+ actual_path=/home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/init/default/001_verify_config_arrays.sh
+ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
+ test /home/johannes/rear.github.master-jsmeix-source-wrapper/
+ [[ /home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/init/default/001_verify_config_arrays.sh =~ ^/home/johannes/rear.github.master-jsmeix-source-wrapper/ ]]
+ return 0
+ builtin source /usr/share/rear/init/default/001_verify_config_arrays.sh
...
so it did not use the PORTABLE mode ReaR files
from localhost-portable.tar.gz which are under
/root/home/johannes/rear.github.master-jsmeix-source-wrapper/
but the ReaR files from the booted ReaR recovery system ISO under
/home/johannes/rear.github.master-jsmeix-source-wrapper/
cf.
RESCUE localhost:~ # find / -xdev | grep '001_verify_config_arrays.sh'
/home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/init/default/001_verify_config_arrays.sh
/root/home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/init/default/001_verify_config_arrays.sh
so this very first test of PORTABLE mode was not yet correct.
Tomorrow I will have a further look
how things are meant to work in PORTABLE mode and
how I could test PORTABLE mode with reasonable effort
(I want to avoid to bother with a "third-party" rescue system).
jsmeix commented at 2025-01-23 12:51:¶
Next try to test PORTABLE mode:
I tested on a SLES15-SP6 virtual KVM/QEMU machine
with the default SLES btrfs structure
in a Git checkout as normal non-root user 'johannes', cf.
https://github.com/rear/rear/pull/3379#issuecomment-2607217184
I use this local.conf
# OUTPUT=ISO
OUTPUT=PORTABLE
BACKUP=NETFS
BACKUP_OPTIONS="nfsvers=3,nolock"
BACKUP_URL=nfs://192.168.178.66/nfs
REQUIRED_PROGS+=( snapper chattr lsattr )
COPY_AS_IS+=( /usr/lib/snapper/installation-helper /etc/snapper/config-templates/default )
POST_RECOVERY_SCRIPT=( 'if snapper --no-dbus -r $TARGET_FS_ROOT get-config | grep -q "^QGROUP.*[0-9]/[0-9]" ; then snapper --no-dbus -r $TARGET_FS_ROOT set-config QGROUP= ; snapper --no-dbus -r $TARGET_FS_ROOT setup-quota && echo snapper setup-quota done || echo snapper setup-quota failed ; else echo snapper setup-quota not used ; fi' )
SSH_ROOT_PASSWORD="rear"
USE_DHCLIENT="yes"
FIRMWARE_FILES=( 'no' )
MODULES=( 'loaded_modules' )
PROGRESS_MODE="plain"
PROGRESS_WAIT_SECONDS="5"
REQUIRED_PROGS+=( 'timeout' )
I did "rear mkrescue" with OUTPUT=ISO
and I got this files on my NFS server
# ls -lhdtr /nfs/localhost/*
-rw------- 1 nobody nobody 86M Jan 23 13:14 /nfs/localhost/rear-localhost.iso
-rw------- 1 nobody nobody 273 Jan 23 13:14 /nfs/localhost/VERSION
-rw------- 1 nobody nobody 202 Jan 23 13:14 /nfs/localhost/README
-rw------- 1 nobody nobody 2.3M Jan 23 13:14 /nfs/localhost/rear-localhost.log
Then I did "rear mkrescue" with OUTPUT=PORTABLE
and I got then this files on my NFS server
# ls -lhdtr /nfs/localhost/*
-rw------- 1 nobody nobody 86M Jan 23 13:14 /nfs/localhost/rear-localhost.iso
-rw------- 1 nobody nobody 202 Jan 23 13:14 /nfs/localhost/README
-rw------- 1 nobody nobody 804K Jan 23 13:27 /nfs/localhost/localhost-portable.tar.gz
-rw------- 1 nobody nobody 278 Jan 23 13:27 /nfs/localhost/VERSION
-rw------- 1 nobody nobody 2.4M Jan 23 13:27 /nfs/localhost/rear-localhost.log
Finally I did "rear -D mkbackuponly" (also OUTPUT=PORTABLE)
and I got finally this files on my NFS server:
# ls -lhdtr /nfs/localhost/*
-rw------- 1 nobody nobody 86M Jan 23 13:14 /nfs/localhost/rear-localhost.iso
-rw------- 1 nobody nobody 202 Jan 23 13:14 /nfs/localhost/README
-rw------- 1 nobody nobody 804K Jan 23 13:27 /nfs/localhost/localhost-portable.tar.gz
-rw------- 1 nobody nobody 278 Jan 23 13:27 /nfs/localhost/VERSION
-rw------- 1 nobody nobody 2.4M Jan 23 13:27 /nfs/localhost/rear-localhost.log
-rw-r--r-- 1 nobody nobody 2.6G Jan 23 13:41 /nfs/localhost/backup.tar.gz
-rw-r--r-- 1 nobody nobody 10M Jan 23 13:41 /nfs/localhost/backup.log
My plan is to
boot another virtual KVM/QEMU machine
with the rear-localhost.iso (from OUTPUT=ISO)
log in as 'root' there and remove all ReaR files
(i.e. the ones from rear-localhost.iso)
in the ReaR recovery system
then
download localhost-portable.tar.gz (from OUTPUT=PORTABLE)
and untar it in an arbitraty sub-directory
change into that sub-directory and
finally
try "rear recover"
jsmeix commented at 2025-01-23 14:48:¶
"rear recover" in PORTABLE mode worked well for me
when on the original system it was
a Git checkout as normal non-root user 'johannes':
I booted another virtual KVM/QEMU machine
with the rear-localhost.iso (from OUTPUT=ISO)
and logged in as 'root' there.
I removed all ReaR files
(i.e. the ones from rear-localhost.iso)
in the ReaR recovery system
except '/etc/rear-release' which I keep
so even I don't need '-p' for "rear recover".
Then I did
RESCUE localhost: # mkdir /nfs
RESCUE localhost: # mount -t nfs -o nolock 192.168.178.66:/nfs/localhost /nfs
RESCUE localhost: # mkdir /portable
RESCUE localhost: # mkdir /portable/rear
RESCUE localhost: # cd /portable/rear
RESCUE localhost:/portable/rear # cp /nfs/localhost-portable.tar.gz .
RESCUE localhost:/portable/rear # tar -xf localhost-portable.tar.gz
RESCUE localhost:/portable/rear # ls -l
total 804
drwxr-xr-x 3 root root 0 Jan 23 15:26 etc
drwxr-xr-x 3 root root 0 Jan 23 15:26 home
-rw-r--r-- 1 root root 823134 Jan 23 15:26 localhost-portable.tar.gz
drwxr-xr-x 4 root root 0 Jan 23 15:26 usr
drwxr-xr-x 3 root root 0 Jan 23 15:26 var
RESCUE localhost:/portable/rear # find usr -ls
26315 0 drwxr-xr-x 4 root root 0 Jan 23 15:26 usr
26326 0 drwxr-xr-x 2 root root 0 Jan 23 15:26 usr/share
28118 0 lrwxrwxrwx 1 root root 75 Jan 23 13:26 usr/share/rear -> ../../home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear
26316 0 drwxr-xr-x 2 root root 0 Jan 23 15:26 usr/sbin
26317 48 -rwxr-xr-x 1 johannes users 46078 Jan 22 12:32 usr/sbin/rear
RESCUE localhost:/portable/rear # find etc/ -ls
26318 0 drwxr-xr-x 3 root root 0 Jan 23 15:26 etc/
26319 0 drwxr-xr-x 2 root root 0 Jan 23 13:26 etc/rear
26322 4 -rw-r--r-- 1 root root 378 Jan 23 13:26 etc/rear/os.conf
26321 8 -rw-r--r-- 1 root root 5090 Jan 23 13:26 etc/rear/local.conf
26320 4 -rw-r--r-- 1 root root 1265 Jan 23 13:26 etc/rear/rescue.conf
RESCUE localhost:/portable/rear # find var -ls
26328 0 drwxr-xr-x 3 root root 0 Jan 23 15:26 var
26329 0 drwxr-xr-x 2 root root 0 Jan 23 15:26 var/lib
28117 0 lrwxrwxrwx 1 root root 73 Jan 23 13:26 var/lib/rear -> ../../home/johannes/rear.github.master-jsmeix-source-wrapper/var/lib/rear
RESCUE localhost:/portable/rear # usr/sbin/rear -D recover
...
Using log file: /portable/rear/var/log/rear/rear-localhost.log
...
RESCUE localhost:/portable/rear # less var/log/rear/rear-localhost.log
...
2025-01-23 15:29:56.799822840 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root johannes
2025-01-23 15:29:56.802493990 Sourced files must be below one of the TRUSTWORTHY_PATHS /portable/rear/ /usr/ /etc/ /lib/
2025-01-23 15:29:56.805229400 Trustworthy sourcing '/portable/rear/usr/share/rear/lib/array-functions.sh'
...
+ source /portable/rear/etc/rear/os.conf
+ local source_file=/portable/rear/etc/rear/os.conf
+ Debug 'Trustworthy sourcing '\''/portable/rear/etc/rear/os.conf'\'''
2025-01-23 15:29:57.128342998 Trustworthy sourcing '/portable/rear/etc/rear/os.conf'
+ test -f /portable/rear/etc/rear/os.conf
+ is_trustworthy_owner /portable/rear/etc/rear/os.conf
+ local file=/portable/rear/etc/rear/os.conf
+ local owner_name=
+ local trustworthy_owner=
+ test -f /portable/rear/etc/rear/os.conf
++ stat -L -c %U /portable/rear/etc/rear/os.conf
+ owner_name=root
+ for trustworthy_owner in "${TRUSTWORTHY_OWNERS[@]}"
+ test root = root
+ return 0
+ is_trustworthy_path /portable/rear/etc/rear/os.conf
+ local file=/portable/rear/etc/rear/os.conf
+ local actual_path=
+ local trustworthy_path=
+ test -f /portable/rear/etc/rear/os.conf
++ readlink -e /portable/rear/etc/rear/os.conf
+ actual_path=/portable/rear/etc/rear/os.conf
+ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
+ test /portable/rear/
+ [[ /portable/rear/etc/rear/os.conf =~ ^/portable/rear/ ]]
+ return 0
+ builtin source /portable/rear/etc/rear/os.conf
...
2025-01-23 15:29:57.270295687 Running 'init' stage
2025-01-23 15:29:57.273541457 ======================
2025-01-23 15:29:57.285953301 Including init/default/001_verify_config_arrays.sh
2025-01-23 15:29:57.288911160 Entering debugscript mode via 'set -x'.
+ source /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ local source_file=/portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ Debug 'Trustworthy sourcing '\''/portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh'\'''
2025-01-23 15:29:57.297003948 Trustworthy sourcing '/portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh'
+ test -f /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ is_trustworthy_owner /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ local file=/portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ local owner_name=
+ local trustworthy_owner=
+ test -f /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
++ stat -L -c %U /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ owner_name=johannes
+ for trustworthy_owner in "${TRUSTWORTHY_OWNERS[@]}"
+ test johannes = root
+ for trustworthy_owner in "${TRUSTWORTHY_OWNERS[@]}"
+ test johannes = johannes
+ return 0
+ is_trustworthy_path /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ local file=/portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ local actual_path=
+ local trustworthy_path=
+ test -f /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
++ readlink -e /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
+ actual_path=/portable/rear/home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/init/default/001_verify_config_arrays.sh
+ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
+ test /portable/rear/
+ [[ /portable/rear/home/johannes/rear.github.master-jsmeix-source-wrapper/usr/share/rear/init/default/001_verify_config_arrays.sh =~ ^/portable/rear/ ]]
+ return 0
+ builtin source /portable/rear/usr/share/rear/init/default/001_verify_config_arrays.sh
...
jsmeix commented at 2025-01-23 14:50:¶
Next I will test PORTABLE mode
when on the original system ReaR is
installed as normal RPM package...
jsmeix commented at 2025-01-27 13:55:¶
Next test is PORTABLE mode
when on the original system ReaR 2.8
is installed as normal RPM package.
I tested on the same SLES15-SP6 virtual KVM/QEMU machine as above.
I tested PORTABLE mode in the same way as above in
https://github.com/rear/rear/pull/3379#issuecomment-2609733311
I use the same local.conf
# OUTPUT=ISO
OUTPUT=PORTABLE
BACKUP=NETFS
BACKUP_OPTIONS="nfsvers=3,nolock"
BACKUP_URL=nfs://192.168.178.66/nfs
REQUIRED_PROGS+=( snapper chattr lsattr )
COPY_AS_IS+=( /usr/lib/snapper/installation-helper /etc/snapper/config-templates/default )
POST_RECOVERY_SCRIPT=( 'if snapper --no-dbus -r $TARGET_FS_ROOT get-config | grep -q "^QGROUP.*[0-9]/[0-9]" ; then snapper --no-dbus -r $TARGET_FS_ROOT set-config QGROUP= ; snapper --no-dbus -r $TARGET_FS_ROOT setup-quota && echo snapper setup-quota done || echo snapper setup-quota failed ; else echo snapper setup-quota not used ; fi' )
SSH_ROOT_PASSWORD="rear"
USE_DHCLIENT="yes"
FIRMWARE_FILES=( 'no' )
MODULES=( 'loaded_modules' )
PROGRESS_MODE="plain"
PROGRESS_WAIT_SECONDS="5"
REQUIRED_PROGS+=( 'timeout' )
The REQUIRED_PROGS+=( 'timeout' ) is because of
https://github.com/rear/rear/issues/3386
I did "rear mkrescue" with OUTPUT=ISO
and I got this files on my NFS server
localhost:/nfs # ls -lhdtr localhost/*
-rw------- 1 nobody nobody 85M Jan 27 14:23 localhost/rear-localhost.iso
-rw------- 1 nobody nobody 273 Jan 27 14:23 localhost/VERSION
-rw------- 1 nobody nobody 202 Jan 27 14:23 localhost/README
-rw------- 1 nobody nobody 2.1M Jan 27 14:23 localhost/rear-localhost.log
Then I did "rear mkrescue" with OUTPUT=PORTABLE
and I got then this files on my NFS server
localhost:/nfs # ls -lhdtr localhost/*
-rw------- 1 nobody nobody 85M Jan 27 14:23 localhost/rear-localhost.iso
-rw------- 1 nobody nobody 202 Jan 27 14:23 localhost/README
-rw------- 1 nobody nobody 1.6M Jan 27 14:34 localhost/localhost-portable.tar.gz
-rw------- 1 nobody nobody 278 Jan 27 14:34 localhost/VERSION
-rw------- 1 nobody nobody 2.2M Jan 27 14:34 localhost/rear-localhost.log
Finally I did "rear -D mkbackuponly" (also OUTPUT=PORTABLE)
and I got finally this files on my NFS server:
localhost:/nfs # ls -lhdtr localhost/*
-rw------- 1 nobody nobody 85M Jan 27 14:23 localhost/rear-localhost.iso
-rw------- 1 nobody nobody 202 Jan 27 14:23 localhost/README
-rw------- 1 nobody nobody 1.6M Jan 27 14:34 localhost/localhost-portable.tar.gz
-rw------- 1 nobody nobody 278 Jan 27 14:34 localhost/VERSION
-rw------- 1 nobody nobody 2.2M Jan 27 14:34 localhost/rear-localhost.log
-rw-r--r-- 1 nobody nobody 2.6G Jan 27 14:37 localhost/backup.tar.gz
-rw-r--r-- 1 nobody nobody 10M Jan 27 14:38 localhost/backup.log
I got those log files:
localhost:~ # ls -lhdtr /var/log/rear/*log*
-rw------- 1 root root 2.1M Jan 27 14:23 /var/log/rear/rear-localhost.log.old
-rw------- 1 root root 647K Jan 27 14:38 /var/log/rear/rear-localhost.log
-rw------- 1 root root 651K Jan 27 14:38 /var/log/rear/rear-localhost.21660.log
with those excerpts about TRUSTWORTHY_OWNERS and TRUSTWORTHY_PATHS:
localhost:~ # grep 'Sourced files must be' /var/log/rear/rear-localhost.log.old /var/log/rear/rear-localhost.log /var/log/rear/rear-localhost.21660.log
/var/log/rear/rear-localhost.log.old:2025-01-27 14:23:04.879652514 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root
/var/log/rear/rear-localhost.log.old:2025-01-27 14:23:04.881206121 Sourced files must be below one of the TRUSTWORTHY_PATHS /usr/ /etc/ /var/lib/rear/ /lib/
/var/log/rear/rear-localhost.log:2025-01-27 14:35:06.755948341 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root
/var/log/rear/rear-localhost.log:2025-01-27 14:35:06.757474918 Sourced files must be below one of the TRUSTWORTHY_PATHS /usr/ /etc/ /var/lib/rear/ /lib/
/var/log/rear/rear-localhost.21660.log:2025-01-27 14:35:06.755948341 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root
/var/log/rear/rear-localhost.21660.log:2025-01-27 14:35:06.757474918 Sourced files must be below one of the TRUSTWORTHY_PATHS /usr/ /etc/ /var/lib/rear/ /lib/
jsmeix commented at 2025-01-27 14:24:¶
"rear recover" in PORTABLE mode
also worked well for me
when on the original system ReaR 2.8
is installed as normal RPM package:
I booted another virtual KVM/QEMU machine
with the rear-localhost.iso (from OUTPUT=ISO)
and logged in as 'root' there.
I removed all ReaR files
(i.e. the ones from rear-localhost.iso)
in the ReaR recovery system
except '/etc/rear-release' which I keep
so even I don't need '-p' for "rear recover".
RESCUE localhost:~ # find / -xdev -type d | grep '/rear'
/usr/share/rear
...
/etc/rear
/etc/rear/mappings
/etc/rear/cert
/var/lib/rear
/var/tmp/rear.XXX...
RESCUE localhost:~ # rm -rf /usr/share /etc/rear/mappings /etc/rear/cert /var/lib/rear /var/tmp/rear.*
RESCUE localhost:~ # find /etc/rear
/etc/rear
/etc/rear/os.conf
/etc/rear/local.conf
/etc/rear/rescue.conf
RESCUE localhost:~ # rm /etc/rear/os.conf /etc/rear/local.conf
RESCUE localhost:~ # find / -xdev -type l | grep '/rear'
/usr/lib/systemd/system/multi-user.target.wants/rear-boot-helper.service
RESCUE localhost:~ # rm /usr/lib/systemd/system/multi-user.target.wants/rear-boot-helper.service
RESCUE localhost:~ # find / -xdev -type f | grep 'rear'
/usr/lib/systemd/system/rear-boot-helper.service
/usr/lib/systemd/system/automatic-rear.service
/tmp/rear-localhost-partial-2025-01-27T14:23:16+01:00.log
/bin/rear
/etc/rear-release
/etc/scripts/run-automatic-rear
/etc/event.d/automatic-rear
/etc/rear/rescue.conf
RESCUE localhost:~ # rm /usr/lib/systemd/system/rear-boot-helper.service /usr/lib/systemd/system/automatic-rear.service /tmp/rear-localhost-partial-2025-01-27T14:23:16+01
:00.log /bin/rear /etc/scripts/run-automatic-rear /etc/event.d/automatic-rear /etc/rear/rescue.conf
RESCUE localhost:~ # find / -xdev | grep 'rear'
/usr/lib/systemd/system/multi-user.target.wants/automatic-rear.service
/etc/rear-release
/etc/rear
RESCUE localhost:~ # rm /usr/lib/systemd/system/multi-user.target.wants/automatic-rear.service
RESCUE localhost:~ # find / -xdev | grep 'rear'
/etc/rear-release
/etc/rear
Then I did almost the same as in
https://github.com/rear/rear/pull/3379#issuecomment-2610008547
RESCUE localhost:~ # mkdir /nfs
RESCUE localhost:~ # mount -t nfs -o nolock 192.168.178.66:/nfs/localhost /nfs
RESCUE localhost:~ # mkdir -p /portable/rea
RESCUE localhost:~ # cd /portable/rear
RESCUE localhost:/portable/rear # cp /nfs/localhost-portable.tar.gz .
RESCUE localhost:/portable/rear # tar -xf localhost-portable.tar.gz
RESCUE localhost:/portable/rear # ls -l
total 1636
drwxr-xr-x 3 root root 0 Jan 27 14:11 etc
-rw------- 1 root root 1673964 Jan 27 14:11 localhost-portable.tar.gz
drwxr-xr-x 4 root root 0 Jan 27 14:11 usr
drwxr-xr-x 3 root root 0 Jan 27 14:11 var
RESCUE localhost:/portable/rear # find usr -maxdepth 2
usr
usr/share
usr/share/rear
usr/sbin
usr/sbin/rear
RESCUE localhost:/portable/rear # find etc
etc
etc/rear
etc/rear/os.conf
etc/rear/local.conf
etc/rear/cert
etc/rear/rescue.conf
RESCUE localhost:/portable/rear # find var
var
var/lib
var/lib/rear
var/lib/rear/sysreqs
var/lib/rear/sysreqs/Minimal_System_Requirements.txt
var/lib/rear/layout
var/lib/rear/layout/disklayout.conf
var/lib/rear/layout/disktodo.conf
var/lib/rear/layout/diskdeps.conf
var/lib/rear/layout/lvm
var/lib/rear/layout/config
var/lib/rear/layout/config/files.md5sum
var/lib/rear/layout/config/df.txt
var/lib/rear/recovery
var/lib/rear/recovery/if_inet6
var/lib/rear/recovery/storage_drivers
var/lib/rear/recovery/initrd_modules
var/lib/rear/recovery/bootloader
var/lib/rear/recovery/mountpoint_device
var/lib/rear/recovery/diskbyid_mappings
var/lib/rear/recovery/directories_permissions_owner_group
var/lib/rear/output
RESCUE localhost:/portable/rear # usr/sbin/rear -D recover
...
Using log file: /portable/rear/var/log/rear/rear-localhost.log
...
RESCUE localhost:/portable/rear # grep 'Sourced files must be' var/log/rear/rear-localhost.log
2025-01-27 14:19:43.737429730 Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root
2025-01-27 14:19:43.740085529 Sourced files must be below one of the TRUSTWORTHY_PATHS /portable/rear/ /usr/ /etc/ /lib/
jsmeix commented at 2025-01-27 14:58:¶
I call it now a "prototype"
because things work well for me for my tests
- in normal mode
- when on the original system ReaR is installed as normal RPM package
- when on the original system ReaR is a Git checkout as as root or normal user
- in PORTABLE mode
- when on the original system ReaR is installed as normal RPM package
- when on the original system ReaR is a Git checkout as normal user
My intent of this pull request is not a final solution
but a reasonably OK working "prototype" that can and should
be merged early in our current ReaR 3.0 development phase
so that interested users test it so we get early feedback
how it actually behaves "out there in the wild".
@schlomo @gdha @pcahyna
please have a look here (as time permits)
and provide feedback whether or not
this current "pototype" state looks OK in general
from your point of view, see also my above
https://github.com/rear/rear/pull/3379#issuecomment-2607258857
jsmeix commented at 2025-01-29 08:47:¶
We neither need to significantly out-perform all other software
nor did I implement it nor do I have plans to do so, see
https://github.com/rear/rear/pull/3379#issuecomment-2607258857
Let's discuss it further in our next meeting.
Via writing we are running in circles since almost a year.
jsmeix commented at 2025-01-29 08:50:¶
What I need to add is functionality so that the user can
specify TRUSTED_FILE_OWNERS and TRUSTED_FILE_PATHS
and then ReaR will use only that ("final power to the user")
in particular so that the user can specify what he needs
for special cases (e.g. for whatever third-party software).
jsmeix commented at 2025-02-03 16:20:¶
I tested my latest changes with an additional script
in an untrusted directory /home/johannes/johannes.sh
#!/bin/bash
this_file_path=$( readlink -e ${BASH_SOURCE[0]} )
echo $this_file_path is running as $( id )
and this additional entries in etc/rear/local.conf
TRUSTWORTHY_OWNERS+=( 'johannes' )
TRUSTWORTHY_PATHS+=( '/home/johannes/' )
{ source /home/johannes/johannes.sh && echo "Sourced /home/johannes/johannes.sh" || echo "Failed to source /home/johannes/johannes.sh" ; } 0<&6 1>&7 2>&8
COPY_AS_IS+=( /home/johannes/johannes.sh )
plus this additional 'source' command at the beginning of
usr/share/rear/init/default/001_verify_config_arrays.sh
source /home/johannes/johannes.sh && DebugPrint "${BASH_SOURCE[0]}: Sourced /home/johannes/johannes.sh" || DebugPrint "${BASH_SOURCE[0]}: Failed to source /home/johannes/johannes.sh"
from a Git checkout that I did as root:
localhost:~/rear.github.master-jsmeix-source-wrapper # usr/sbin/rear -d -C /home/johannes/johannes.sh mkrescue
...
/home/johannes/johannes.sh is running as uid=0(root) gid=0(root) groups=0(root)
Sourced /home/johannes/johannes.sh
Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root johannes
Sourced files must be below one of the TRUSTWORTHY_PATHS /root/rear.github.master-jsmeix-source-wrapper/ /usr/ /etc/ /lib/ /home/johannes/
Sourcing additional configuration file '/home/johannes/johannes.sh'
Running 'init' stage ======================
/root/rear.github.master-jsmeix-source-wrapper/usr/share/rear/init/default/001_verify_config_arrays.sh: Sourced /home/johannes/johannes.sh
Running workflow mkrescue on the normal/original system
...
this was with '-d'
but now with '-D' but without '-C'
localhost:~/rear.github.master-jsmeix-source-wrapper # usr/sbin/rear -D mkbackuponly
...
++ source /home/johannes/johannes.sh
++ local source_file=/home/johannes/johannes.sh
++ Debug 'Trustworthy sourcing '\''/home/johannes/johannes.sh'\'''
++ test -f /home/johannes/johannes.sh
++ is_trustworthy_owner /home/johannes/johannes.sh
++ local file=/home/johannes/johannes.sh
++ local owner_name=
++ local trustworthy_owner=
++ test -f /home/johannes/johannes.sh
+++ stat -L -c %U /home/johannes/johannes.sh
++ owner_name=johannes
++ for trustworthy_owner in "${TRUSTWORTHY_OWNERS[@]}"
++ test johannes = root
++ for trustworthy_owner in "${TRUSTWORTHY_OWNERS[@]}"
++ test johannes = johannes
++ return 0
++ is_trustworthy_path /home/johannes/johannes.sh
++ local file=/home/johannes/johannes.sh
++ local actual_path=
++ local trustworthy_path=
++ test -f /home/johannes/johannes.sh
+++ readlink -e /home/johannes/johannes.sh
++ actual_path=/home/johannes/johannes.sh
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /root/rear.github.master-jsmeix-source-wrapper/
++ [[ /home/johannes/johannes.sh =~ ^/root/rear.github.master-jsmeix-source-wrapper/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /usr/
++ [[ /home/johannes/johannes.sh =~ ^/usr/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /etc/
++ [[ /home/johannes/johannes.sh =~ ^/etc/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /lib/
++ [[ /home/johannes/johannes.sh =~ ^/lib/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /home/johannes/
++ [[ /home/johannes/johannes.sh =~ ^/home/johannes/ ]]
++ return 0
++ builtin source /home/johannes/johannes.sh
++++ readlink -e /home/johannes/johannes.sh
+++ this_file_path=/home/johannes/johannes.sh
++++ id
+++ echo /home/johannes/johannes.sh is running as 'uid=0(root)' 'gid=0(root)' 'groups=0(root)'
/home/johannes/johannes.sh is running as uid=0(root) gid=0(root) groups=0(root)
++ echo 'Sourced /home/johannes/johannes.sh'
Sourced /home/johannes/johannes.sh
Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root johannes
Sourced files must be below one of the TRUSTWORTHY_PATHS /root/rear.github.master-jsmeix-source-wrapper/ /usr/ /etc/ /lib/ /home/johannes/
Running 'init' stage ======================
/root/rear.github.master-jsmeix-source-wrapper/usr/share/rear/init/default/001_verify_config_arrays.sh: Sourced /home/johannes/johannes.sh
Running workflow mkbackuponly on the normal/original system
...
Both "mkrescue" and "mkbackuponly" worked well and as expected for me.
Recovery:
RESCUE localhost:~ # rear -D -C /home/johannes/johannes.sh recover
...
++ source /home/johannes/johannes.sh
++ local source_file=/home/johannes/johannes.sh
++ Debug 'Trustworthy sourcing '\''/home/johannes/johannes.sh'\'''
++ test -f /home/johannes/johannes.sh
++ is_trustworthy_owner /home/johannes/johannes.sh
++ local file=/home/johannes/johannes.sh
++ local owner_name=
++ local trustworthy_owner=
++ test -f /home/johannes/johannes.sh
+++ stat -L -c %U /home/johannes/johannes.sh
++ owner_name=johannes
++ for trustworthy_owner in "${TRUSTWORTHY_OWNERS[@]}"
++ test johannes = root
++ for trustworthy_owner in "${TRUSTWORTHY_OWNERS[@]}"
++ test johannes = johannes
++ return 0
++ is_trustworthy_path /home/johannes/johannes.sh
++ local file=/home/johannes/johannes.sh
++ local actual_path=
++ local trustworthy_path=
++ test -f /home/johannes/johannes.sh
+++ readlink -e /home/johannes/johannes.sh
++ actual_path=/home/johannes/johannes.sh
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /root/rear.github.master-jsmeix-source-wrapper/
++ [[ /home/johannes/johannes.sh =~ ^/root/rear.github.master-jsmeix-source-wrapper/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /usr/
++ [[ /home/johannes/johannes.sh =~ ^/usr/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /etc/
++ [[ /home/johannes/johannes.sh =~ ^/etc/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /var/lib/rear/
++ [[ /home/johannes/johannes.sh =~ ^/var/lib/rear/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /lib/
++ [[ /home/johannes/johannes.sh =~ ^/lib/ ]]
++ for trustworthy_path in "${TRUSTWORTHY_PATHS[@]}"
++ test /home/johannes/
++ [[ /home/johannes/johannes.sh =~ ^/home/johannes/ ]]
++ return 0
++ builtin source /home/johannes/johannes.sh
++++ readlink -e /home/johannes/johannes.sh
+++ this_file_path=/home/johannes/johannes.sh
++++ id
+++ echo /home/johannes/johannes.sh is running as 'uid=0(root)' 'gid=0(root)' 'groups=0(root)'
/home/johannes/johannes.sh is running as uid=0(root) gid=0(root) groups=0(root)
++ echo 'Sourced /home/johannes/johannes.sh'
Sourced /home/johannes/johannes.sh
Sourced files must be owned by one of the TRUSTWORTHY_OWNERS root johannes
Sourced files must be below one of the TRUSTWORTHY_PATHS /root/rear.github.master-jsmeix-source-wrapper/ /usr/ /etc/ /var/lib/rear/ /lib/ /home/johannes/
Sourcing additional configuration file '/home/johannes/johannes.sh'
Running 'init' stage ======================
/usr/share/rear/init/default/001_verify_config_arrays.sh: Sourced /home/johannes/johannes.sh
Running workflow recover within the ReaR rescue/recovery system
...
Also "recover" worked well and as expected for me.
jsmeix commented at 2025-02-03 16:28:¶
Tested sourcing via 'source' versus via '.'
with an enhanced /home/johannes/johannes.sh
#!/bin/bash
this_file_path=$( readlink -e ${BASH_SOURCE[0]} )
echo $this_file_path is running as $( id )
echo "sourcing /etc/os-release via 'source'"
source /etc/os-release && echo Worked || echo Failed
echo "sourcing /etc/os-release via '.'"
. /etc/os-release && echo Worked || echo Failed
results
# usr/sbin/rear -d -C /home/johannes/johannes.sh mkrescue
...
/home/johannes/johannes.sh is running as uid=0(root) gid=0(root) groups=0(root)
sourcing /etc/os-release via 'source'
/etc/os-release: line 2: VERSION: readonly variable
Worked
sourcing /etc/os-release via '.'
ERROR: BUG in Relax-and-Recover
Forbidden usage of '.' in
. /etc/os-release
Please report it at https://github.com/rear/rear/issues
Also works as expected.
jsmeix commented at 2025-02-04 07:44:¶
I would like to add that the user can explicitly specify a
special value for TRUSTED_FILE_OWNERS and TRUSTED_FILE_PATHS
that the trustworthy sourcing checks are skipped
i.e. that all owners and all paths are blindly trusted
to be able to force ReaR to behave as it currently does
i.e. blindly/carelessly sourcing anything.
[Export of Github issue for rear/rear.]