From owner-freebsd-current  Thu Jan 30 17:18:12 2003
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D426A37B401
	for <freebsd-current@FreeBSD.org>; Thu, 30 Jan 2003 17:18:10 -0800 (PST)
Received: from beastie.mckusick.com (beastie.mckusick.com [209.31.233.184])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 666E843F3F
	for <freebsd-current@FreeBSD.org>; Thu, 30 Jan 2003 17:18:10 -0800 (PST)
	(envelope-from mckusick@beastie.mckusick.com)
Received: from beastie.mckusick.com (localhost [127.0.0.1])
	by beastie.mckusick.com (8.12.3/8.12.3) with ESMTP id h0V1GmFL017340;
	Thu, 30 Jan 2003 17:16:51 -0800 (PST)
	(envelope-from mckusick@beastie.mckusick.com)
Message-Id: <200301310116.h0V1GmFL017340@beastie.mckusick.com>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Subject: Re: dump -L and privilege 
Cc: Garrett Wollman <wollman@lcs.mit.edu>,
	freebsd-current@FreeBSD.org
In-Reply-To: Your message of "Fri, 31 Jan 2003 02:24:00 +0200."
             <20030131002400.GC758@gothmog.gr> 
Date: Thu, 30 Jan 2003 17:16:48 -0800
From: Kirk McKusick <mckusick@beastie.mckusick.com>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

	Date: Fri, 31 Jan 2003 02:24:00 +0200
	From: Giorgos Keramidas <keramida@ceid.upatras.gr>
	To: Garrett Wollman <wollman@lcs.mit.edu>
	Cc: Kirk McKusick <mckusick@beastie.mckusick.com>,
	    freebsd-current@FreeBSD.org
	Subject: Re: dump -L and privilege
	X-ASK-Info: Confirmed by User

	On 2003-01-30 15:52, Garrett Wollman <wollman@lcs.mit.edu> wrote:
	> <<On Wed, 29 Jan 2003 18:17:31 -0800,
	>   Kirk McKusick <mckusick@beastie.mckusick.com> said:
	> > The other alternative would be to
	> > create a setuid-to-root program that would take a snapshot and
	> > chown it to the user that does dumps.
	>
	> I think this would actually be a useful feature for more than just
	> dumps.  I might want to allow some users (say, those in group
	> `operator') to be able to create snapshots on their own, without
	> allowing arbitrary mounting privileges.

	Do normal permissions apply for the files included in a snapshot?

	It would be horrible from a security standpoint if any user could use
	a setuid program to snapshot filesystems, mount the snapshot to places
	of their own, and read random files from the mounted snapshot.

	</knee jerk reaction>

	- Giorgos

By default snapshots are mode 400 owned by root, so normal users
cannot access them. The setuid program is proposing to make them
mode 440 group operator which would let anyone in the operator
group read them. This is the same level of permission given to
disks, so is neither more nor less secure than regular disks.
If the snapshot is mounted, then the same filesystem permissions
are enforced as would be enforced for the mounted disk except
that the mount must be done read-only, so nothing in the snapshot
can be moved, deleted, or changed.

	Kirk McKusick

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message