From patchwork Wed Aug 29 17:24:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Burri X-Patchwork-Id: 10580715 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EE90E5A4 for ; Wed, 29 Aug 2018 17:31:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D47B82B927 for ; Wed, 29 Aug 2018 17:31:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D21D22B8F3; Wed, 29 Aug 2018 17:31:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3B65E2B913 for ; Wed, 29 Aug 2018 17:31:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727841AbeH2V3k (ORCPT ); Wed, 29 Aug 2018 17:29:40 -0400 Received: from tty0.vserver.softronics.ch ([91.214.169.36]:53542 "EHLO fe1.digint.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727621AbeH2V3k (ORCPT ); Wed, 29 Aug 2018 17:29:40 -0400 Received: by fe1.digint.ch (Postfix, from userid 1000) id 7C07F307E1; Wed, 29 Aug 2018 19:23:09 +0200 (CEST) Received: from mail.tty0.ch (hermes.tty0.ch [172.21.1.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by fe1.digint.ch (Postfix) with ESMTPS id 2E6F2307D2 for ; Wed, 29 Aug 2018 19:23:09 +0200 (CEST) Received: from ares.tty0.ch (ares.tty0.ch [10.0.1.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.tty0.ch (Postfix) with ESMTPS id 066AF1DA0EE; Wed, 29 Aug 2018 19:22:38 +0200 (CEST) Received: by ares.tty0.ch (sSMTP sendmail emulation); Wed, 29 Aug 2018 19:24:43 +0200 From: Axel Burri To: linux-btrfs@vger.kernel.org Cc: Axel Burri Subject: [RFC PATCH 0/6] btrfs-progs: build distinct binaries for specific btrfs subcommands Date: Wed, 29 Aug 2018 19:24:03 +0200 Message-Id: <20180829172409.18064-1-axel@tty0.ch> X-Mailer: git-send-email 2.16.4 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch allows to build distinct binaries for specific btrfs subcommands, e.g. "btrfs-subvolume-show" which would be identical to "btrfs subvolume show". Motivation: While btrfs-progs offer the all-inclusive "btrfs" command, it gets pretty cumbersome to restrict privileges to the subcommands [1]. Common approaches are to either setuid root for "/sbin/btrfs" (which is not recommended at all), or to write sudo rules for each subcommand. Separating the subcommands into distinct binaries makes it easy to set elevated privileges using capabilities(7) or setuid. A typical use case where this is needed is when it comes to automated scripts, e.g. btrbk [2] [3] creating snapshots and send/receive them via ssh. Description: Patch 1 adds a template as well as a generator shell script for the splitted subcommands. Patch 2 adds the generated subcommand source files. Patch 3-5 adds a "install-splitcmd-setcap" make target, with different approaches (either hardcoded in Makefile, or more generically by including "Makefile.install_setcap" generated by "splitcmd-gen.sh"). Open Questions: 1. "make install-splitcmd-setcap" installs the binaries with hardcoded group "btrfs". This needs to be configurable (how?). Another approach would be to not set the group at all, and leave this to the user or distro packaging script. 2. Instead of the "install-splitcmd-setcap" make target, we could introduce a "configure --enable-splitted-subcommands" option, which would simply add all splitcmd binaries to the "all" and "install" targets without special treatment, and leave the setcap stuff to the user or distro packaging script (at least in gentoo, this needs to be specified using the "fcaps" eclass anyways [5]). References: [1] https://www.spinics.net/lists/linux-btrfs/msg75736.html [2] https://github.com/digint/btrbk [3] https://github.com/digint/btrfs-progs-btrbk [4] https://github.com/digint/btrfs-progs/tree/splitcmd-setcap [5] https://dev.tty0.ch/portage/digint-overlay.git (sys-fs/btrfs-progs-btrbk) Axel Burri (6): btrfs-progs: splitcmd-gen.sh: create btrfs- binaries for selected subcommands btrfs-progs: add btrfs- source files generated by splitcmd-gen.sh btrfs-progs: Makefile: add "install-splitcmd-setcap" target, installs splitcmd binaries with appropriate capabilities btrfs-progs: Makefile: include Makefile.install_setcap generated by splitcmd-gen.sh btrfs-progs: Makefile: move progs_splitcmd variable to Makefile.install_setcap btrfs-progs: add splitcmd binaries to gitignore .gitignore | 9 +++++ Makefile | 20 +++++++++++ Makefile.inc.in | 1 + Makefile.install_setcap | 12 +++++++ btrfs-filesystem-usage.c | 23 +++++++++++++ btrfs-qgroup-destroy.c | 23 +++++++++++++ btrfs-receive.c | 23 +++++++++++++ btrfs-send.c | 23 +++++++++++++ btrfs-subvolume-delete.c | 23 +++++++++++++ btrfs-subvolume-list.c | 23 +++++++++++++ btrfs-subvolume-show.c | 23 +++++++++++++ btrfs-subvolume-snapshot.c | 23 +++++++++++++ configure.ac | 1 + splitcmd-gen.sh | 86 ++++++++++++++++++++++++++++++++++++++++++++++ splitcmd.c.in | 17 +++++++++ 15 files changed, 330 insertions(+) create mode 100644 Makefile.install_setcap create mode 100644 btrfs-filesystem-usage.c create mode 100644 btrfs-qgroup-destroy.c create mode 100644 btrfs-receive.c create mode 100644 btrfs-send.c create mode 100644 btrfs-subvolume-delete.c create mode 100644 btrfs-subvolume-list.c create mode 100644 btrfs-subvolume-show.c create mode 100644 btrfs-subvolume-snapshot.c create mode 100755 splitcmd-gen.sh create mode 100644 splitcmd.c.in