Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More fail safe BACKUP_PROG_CRYPT_KEY handling (issue 2157) #2178

Merged
merged 4 commits into from Jul 9, 2019
Merged

More fail safe BACKUP_PROG_CRYPT_KEY handling (issue 2157) #2178

merged 4 commits into from Jul 9, 2019

Conversation

jsmeix
Copy link
Member

@jsmeix jsmeix commented Jul 8, 2019
edited

Make the code that deals with BACKUP_PROG_CRYPT_KEY more fail safe:

  1. Use double quotes "$BACKUP_PROG_CRYPT_KEY" so that
    the BACKUP_PROG_CRYPT_KEY value can contain spaces.

  2. Escape special regexp characters in the BACKUP_PROG_CRYPT_KEY value
    when it is used as a regexp in grep or sed.

  3. Use single quotes BACKUP_PROG_CRYPT_KEY='my_secret_passphrase'
    in the documentation examples so that the BACKUP_PROG_CRYPT_KEY value
    can contain special characters like $,
    cf. Backup tar file 0 bytes if encryption enabled when BACKUP_PROG_CRYPT_KEY contains special characters #2157 (comment)

  4. Recommend to not use special characters in the
    BACKUP_PROG_CRYPT_KEY value to be on the safe side
    against things breaking in unexpected weird ways when certain code
    in ReaR is not yet safe against arbitrary special characters in values
    cf. Make ReaR safe against blanks or special characters in file and directory names #1372

@jsmeix jsmeix added enhancement Adaptions and new features bug The code does not do what it is meant to do documentation labels Jul 8, 2019
@jsmeix jsmeix added this to the ReaR v2.6 milestone Jul 8, 2019
@jsmeix jsmeix requested a review from a team July 8, 2019 12:41
@jsmeix jsmeix self-assigned this Jul 8, 2019
@jsmeix jsmeix mentioned this pull request Jul 8, 2019
Closed
gdha
gdha approved these changes Jul 8, 2019
View reviewed changes
Copy link
Member

@gdha gdha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jsmeix Code looks clean to me - thank you for cleaning up this mess

@jsmeix
Copy link
Member Author

jsmeix commented Jul 9, 2019
edited

I tested the escaped_regexp code in the new
usr/share/rear/build/default/960_remove_encryption_keys.sh
here by using a BACKUP_PROG_CRYPT_KEY with all those
special characters that are listed in the new default.conf here
except the single quote character
on command line

# BACKUP_PROG_CRYPT_KEY=' my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass '

# echo "'$BACKUP_PROG_CRYPT_KEY'"
' my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass '

# escaped_regexp="$( echo "$BACKUP_PROG_CRYPT_KEY" | sed -e 's/\([[\/.*]\|\]\)/\\&/g' )"

# echo "'$escaped_regexp'"
' my $ ` " | & ; ( ) < > { } \[ \] \. \* @ ! ? \/ \\ pass '

# echo "foo BACKUP_PROG_CRYPT_KEY='$BACKUP_PROG_CRYPT_KEY' bar $BACKUP_PROG_CRYPT_KEY baz" | grep -o "BACKUP_PROG_CRYPT_KEY=.*$escaped_regexp" && echo found
BACKUP_PROG_CRYPT_KEY=' my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass ' bar  my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass 
found

# echo "foo BACKUP_PROG_CRYPT_KEY='$BACKUP_PROG_CRYPT_KEY' bar $BACKUP_PROG_CRYPT_KEY baz" | sed -e "/BACKUP_PROG_CRYPT_KEY=/s/$escaped_regexp//g"
foo BACKUP_PROG_CRYPT_KEY='' bar  baz

so it seems at least the new
usr/share/rear/build/default/960_remove_encryption_keys.sh
here is safe against special characters in BACKUP_PROG_CRYPT_KEY.

Let's see if that BACKUP_PROG_CRYPT_KEY also works
for a real test...

@jsmeix
Copy link
Member Author

jsmeix commented Jul 9, 2019
edited

Surprisingly "rear mkbackup" and "rear recover"
both "just worked" for me with

BACKUP_PROG_CRYPT_ENABLED="yes"
{ BACKUP_PROG_CRYPT_KEY=' my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass ' ; } 2>/dev/null

in etc/rear/local.conf so that I will "just merge" it now.

Testing a single quote within BACKUP_PROG_CRYPT_KEY
is left as an exercise to the reader, cf.
https://stackoverflow.com/questions/1250079/how-to-escape-single-quotes-within-single-quoted-strings

@jsmeix jsmeix merged commit 122984d into rear:master Jul 9, 2019
@jsmeix jsmeix deleted the more_fail_safe_BACKUP_PROG_CRYPT_KEY_hadling_issue2157 branch July 9, 2019 09:15
jsmeix added a commit that referenced this pull request Jul 13, 2020
@jsmeix
Update default.conf
580c38a 
Use single quotes in the password settings examples
echo 'my_recovery_system_root_password' | openssl passwd -1 -stdin
ZYPPER_ROOT_PASSWORD='root'
YUM_ROOT_PASSWORD='root'
because single quotes avoid issues with the special bash characters
like $ in the password, cf. #2178
jsmeix added a commit that referenced this pull request Jul 13, 2020
@jsmeix
Update 14-ZYPPER-and-YUM.adoc
35f6497 
Use single quotes in the password settings example
SSH_ROOT_PASSWORD='password_on_the_rear_recovery_system'
because single quotes avoid issues with special bash characters
like $ in the password, cf. #2178 and
580c38a
jsmeix added a commit that referenced this pull request Jul 13, 2020
@jsmeix
Update SLE11-SLE12-SAP-HANA-UEFI-example.conf
b0bbe54 
Use single quotes in the password settings example
SSH_ROOT_PASSWORD='password_on_the_rear_recovery_system'
because single quotes avoid issues with special bash characters
like $ in the password, cf. #2178 and
580c38a
jsmeix added a commit that referenced this pull request Jul 13, 2020
@jsmeix
Update SLE11-ext3-example.conf
bbadee1 
Use single quotes in the password settings example
SSH_ROOT_PASSWORD='password_on_the_rear_recovery_system'
because single quotes avoid issues with special bash characters
like $ in the password, cf. #2178 and
580c38a
jsmeix added a commit that referenced this pull request Jul 13, 2020
@jsmeix
Update SLE12-SP1-btrfs-example.conf
50593cf 
Use single quotes in the password settings example
SSH_ROOT_PASSWORD='password_on_the_rear_recovery_system'
because single quotes avoid issues with special bash characters
like $ in the password, cf. #2178 and
580c38a
jsmeix added a commit that referenced this pull request Jul 13, 2020
@jsmeix
Update SLE12-SP2-btrfs-example.conf
3faf3a3 
Use single quotes in the password settings example
SSH_ROOT_PASSWORD='password_on_the_rear_recovery_system'
because single quotes avoid issues with special bash characters
like $ in the password, cf. #2178 and
580c38a
jsmeix added a commit that referenced this pull request Jul 13, 2020
@jsmeix
Update SLE12-btrfs-example.conf
1eb9b6c 
Use single quotes in the password settings example
SSH_ROOT_PASSWORD='password_on_the_rear_recovery_system'
because single quotes avoid issues with special bash characters
like $ in the password, cf. #2178 and
580c38a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gdha gdha gdha approved these changes

Assignees

@jsmeix jsmeix

Labels
bug The code does not do what it is meant to do documentation enhancement Adaptions and new features fixed / solved / done
Projects
None yet
Milestone
ReaR v2.6
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jsmeix @gdha