From owner-freebsd-fs@freebsd.org  Mon Nov 18 10:01:32 2019
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 362341BAF2F
 for <freebsd-fs@mailman.nyi.freebsd.org>; Mon, 18 Nov 2019 10:01:32 +0000 (UTC)
 (envelope-from borjam@sarenet.es)
Received: from cu1176c.smtpx.saremail.com (cu1176c.smtpx.saremail.com
 [195.16.148.151])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 47Gkxk6y6wz4fkP;
 Mon, 18 Nov 2019 10:01:30 +0000 (UTC)
 (envelope-from borjam@sarenet.es)
Received: from [172.16.8.16] (unknown [192.148.167.11])
 by proxypop02.sare.net (Postfix) with ESMTPA id B78B79DC7F1;
 Mon, 18 Nov 2019 11:01:26 +0100 (CET)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: ZFS snapdir readability (Crosspost)
From: Borja Marcos <borjam@sarenet.es>
In-Reply-To: <e2eecef7-21b6-0ff2-b259-71421b7d097c@sentex.net>
Date: Mon, 18 Nov 2019 11:01:26 +0100
Cc: Alan Somers <asomers@freebsd.org>, Jan Behrens <jbe-mlist@magnetkern.de>,
 freebsd-fs <freebsd-fs@freebsd.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B22AD46-BE87-4305-9638-74D23AD4C8CA@sarenet.es>
References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de>
 <CAOtMX2huHZcXHH+=3Bx7hX_p9udJ2acOX+ZL8vW=pjqbe6mOAA@mail.gmail.com>
 <e2eecef7-21b6-0ff2-b259-71421b7d097c@sentex.net>
To: mike tancsa <mike@sentex.net>
X-Mailer: Apple Mail (2.3445.104.11)
X-Rspamd-Queue-Id: 47Gkxk6y6wz4fkP
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org; dkim=none;
 dmarc=pass (policy=none) header.from=sarenet.es;
 spf=pass (mx1.freebsd.org: domain of borjam@sarenet.es designates
 195.16.148.151 as permitted sender) smtp.mailfrom=borjam@sarenet.es
X-Spamd-Result: default: False [-5.00 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4];
 R_SPF_ALLOW(-0.20)[+ip4:195.16.148.0/24]; MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 DMARC_POLICY_ALLOW(-0.50)[sarenet.es,none];
 RCVD_IN_DNSWL_NONE(0.00)[151.148.16.195.list.dnswl.org : 127.0.10.0];
 IP_SCORE(-2.70)[ip: (-7.53), ipnet: 195.16.128.0/19(-3.52), asn: 3262(-2.50),
 country: ES(0.04)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:3262, ipnet:195.16.128.0/19, country:ES];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 10:01:32 -0000



> On 7 Nov 2019, at 15:54, mike tancsa <mike@sentex.net> wrote:
>=20
> On 11/6/2019 7:02 PM, Alan Somers wrote:
>>=20
>> Your analysis of the snapdir is correct.  Setting it to hidden =
doesn't make
>> it inaccessible.  That's not unique to FreeBSD, however.  I believe =
it's
>> common to all ZFS implementations (I just double checked on Oracle
>> Solaris).  Also, the problem isn't unique to ZFS.  Any backup system =
would
>> have the same problem, as long as users are allowed to access the =
backups
>> directly.  And in fact, Bob could've directly observed Alice's id_rsa =
file
>> before she changed it.  So I don't think this should be considered a
>> security vulnerability.  The best course for Alice would be to =
consider her
>> id_rsa as compromised as soon as she notices the problem, and delete =
it.
>=20
> Still, it would be a nice feature to have where .zfs could be set to
> root only read.    In a multi user system, my users (me included) do =
all
> sorts of accidental foot shooting things like making files readable =
for
> a brief period of time they should not make readable.  I think I =
recall
> ZoL adding this as a feature back when I ran into this issue via zfs
> allow / unallow ? Or at least I think I saw discussion about it.
>=20
> https://github.com/zfsonlinux/zfs/issues/3963

The problem is, snapshot access breaks the semantics of chown() and =
chmod().

Maybe a lesser evil would be to define a uid with snapshot access for =
each dataset. At least
for systems with a dataset per home directory it would allow a user to =
access their past snapshots
while at the same time restricting to past snapshots to other users.




Borja.=