From owner-freebsd-fs@freebsd.org  Thu Nov 21 16:49:45 2019
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id F2ED91C4C6B
 for <freebsd-fs@mailman.nyi.freebsd.org>; Thu, 21 Nov 2019 16:49:44 +0000 (UTC)
 (envelope-from jbe-mlist@magnetkern.de)
Received: from sapphire.magnetkern.de (sapphire.magnetkern.de
 [185.228.139.199])
 by mx1.freebsd.org (Postfix) with ESMTP id 47JlsN0F24z4dvK
 for <freebsd-fs@freebsd.org>; Thu, 21 Nov 2019 16:49:43 +0000 (UTC)
 (envelope-from jbe-mlist@magnetkern.de)
Received: from titanium (p57A35420.dip0.t-ipconnect.de [87.163.84.32])
 by sapphire.magnetkern.de (Postfix) with ESMTPSA id 712DE1FF05;
 Thu, 21 Nov 2019 16:49:27 +0000 (UTC)
Date: Thu, 21 Nov 2019 17:49:26 +0100
From: Jan Behrens <jbe-mlist@magnetkern.de>
To: Martin Simmons <martin@lispworks.com>
Cc: borjam@sarenet.es, freebsd-fs@freebsd.org
Subject: Re: ZFS snapdir readability (Crosspost)
Message-Id: <20191121174926.17bf250f4c65964620811554@magnetkern.de>
In-Reply-To: <201911211119.xALBJSIW030544@higson.cam.lispworks.com>
References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de>
 <CAOtMX2huHZcXHH+=3Bx7hX_p9udJ2acOX+ZL8vW=pjqbe6mOAA@mail.gmail.com>
 <e2eecef7-21b6-0ff2-b259-71421b7d097c@sentex.net>
 <9B22AD46-BE87-4305-9638-74D23AD4C8CA@sarenet.es>
 <cfcc12dd-e9eb-5a98-a031-ab18436a2dd3@sentex.net>
 <261FE331-EC5C-48C8-9249-9BCBF887CE38@sarenet.es>
 <913f7040-6e38-452d-6187-e17fae63b652@sentex.net>
 <20191120144041.7f916360dc0c69bf509c9bd1@magnetkern.de>
 <AEF4CA02-36B3-42FC-BE92-14DF0AF99540@sarenet.es>
 <20191120163437.691abd369ab9c0a6d7d45ff2@magnetkern.de>
 <CF38B478-3638-4C18-B69F-E589DE9BBB95@sarenet.es>
 <20191120175803.03401c3316fe756cc46f79f1@magnetkern.de>
 <201911211119.xALBJSIW030544@higson.cam.lispworks.com>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; amd64-portbld-freebsd12.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 47JlsN0F24z4dvK
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of jbe-mlist@magnetkern.de designates
 185.228.139.199 as permitted sender) smtp.mailfrom=jbe-mlist@magnetkern.de
X-Spamd-Result: default: False [-1.37 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
 NEURAL_HAM_MEDIUM(-0.96)[-0.955,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+mx];
 MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[magnetkern.de];
 NEURAL_HAM_LONG(-0.89)[-0.894,0]; TO_DN_SOME(0.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 IP_SCORE(0.18)[ipnet: 185.228.136.0/22(1.55), asn: 197540(-0.64), country:
 DE(-0.01)]; RCVD_NO_TLS_LAST(0.10)[];
 RECEIVED_SPAMHAUS_PBL(0.00)[32.84.163.87.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.10]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:197540, ipnet:185.228.136.0/22, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 16:49:45 -0000

On Thu, 21 Nov 2019 11:19:28 GMT
Martin Simmons <martin@lispworks.com> wrote:

> > Mounting is not the same as cloning and mounting. But you are right: If
> > snapshots are cloned first, you can specify the mountpoint. But then
> > you are mounting a new file system and not a snapshot technically.
> > Which brings us back to option (a) never mount snapshots ever ;-)
> > 
> > Given that we can prohibit the automounting of all snapshots, it would
> > be a nice workaround which would not have too much overhead.
> 
> Can't you already achieve (d) using /sbin/mount?
> 
> __Martin

Thanks for pointing that out, I didn't know. It works on my system
(FreeBSD 12.0).

mount -t zfs filesystem@snapshot /mnt

"-o ro" is optional, in either case it is mounted read-only.

Thus, if auto-mounting of the snapshots in .zfs/snapshot can somehow be
disabled (or if access to .zfs can be restricted to root), it would be
possible to mount snapshots in such way that only certain users can
access them.

mkdir /protected
mkdir /protected/mnt
chgrp snapreaders /protected
chmod 770 /protected
mount -t zfs -o ro filesystem@snapshot /protected/mnt

It's not nice to have the extra parent directory (/protected) but at
least it would work.

Of course, this requires that access to .zfs/snapshot is prohibited for
non-privileged users (or that snapshot automounting is disabled), as
the solution is pointless if users can circumvent access restrictions
by accessing .zfs/snapshot/.

As far as I know, there is no way to disable having .zfs/snapshot
readable by everyone, is that correct?


Regards,
Jan