Date: Sun, 9 Mar 2025 06:24:23 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Andrew Walker <awalker@ixsystems.com> Cc: Konstantin Belousov <kib@freebsd.org>, freebsd-arch@freebsd.org, FreeBSD CURRENT <freebsd-current@freebsd.org>, Cedric Blancher <cedric.blancher@gmail.com>, Lionel Cons <lionelcons1972@gmail.com> Subject: Re: RFC: Solaris style extended attributes for FreeBSD Message-ID: <CAM5tNy5C6NY%2B-kKkt_rud9kb_6ZN%2BsXqXaRwCcntJDDDLVmzcQ@mail.gmail.com> In-Reply-To: <CAB5c7xoBn950onNid428C7jKkL%2B1vOfcFZJpbwCBgiiV3a0QNw@mail.gmail.com> References: <CAM5tNy6wkfPRUpkyHB3h6=fhJHf-eFSWWNdeHV5VLA_xG7pGDA@mail.gmail.com> <Z81ghZUaLYyrxxhd@kib.kiev.ua> <CAB5c7xpDGV0gZhxf7GRxxgH=yAy1xks-%2Bcsw8q=BAm-eh%2BPKDQ@mail.gmail.com> <CAB5c7xoBn950onNid428C7jKkL%2B1vOfcFZJpbwCBgiiV3a0QNw@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
On Sun, Mar 9, 2025 at 5:46 AM Andrew Walker <awalker@ixsystems.com> wrote:
>
> Out of curiosity, how are you preventing users from creating / writing
> xattrs with the `system?` name prefix. In ZFS on FreeBSD IIRC this
> prefix is used to determine whether the corresponding attribute when
> accessed via the extattr interface is in the user or system
> namespaces.
A couple of comments...
1 - My current thinking would be a ZFS fs would be configured for one
or the other (mixing them is weird as noted by the next comment),
There is currently the xattr property that can be set to "dir" or "sa".
2 - I haven't looked at system space FreeBSD attributes yet (I will),
but when mixing them, you can get two attributes with the same name
showing up in the named attribute directory (the open gets the named
attribute one). I haven't yet figured out how to get rid of the duplicate.
3 - I assume the patch could include code that excludes "system.xxx" names
from the directory. (I'll do some testing.)
> I vaguely recall some people may have patched the FreeBSD
> samba server for instance so that it writes security information
> related into the system namespace when samba is configured as a domain
> controller so some care needs to be taken with namespaces.
>
> You may also need to potentially restrict ones with `security.` and
> `trusted.` prefixes in case the ZFS data is replicated to Linux
> systems (because those are privileged namespaces and it may introduce
> a CVE).
Thank for the info. I didn't know what Linux does.
rick
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy5C6NY%2B-kKkt_rud9kb_6ZN%2BsXqXaRwCcntJDDDLVmzcQ>