From owner-freebsd-fs@freebsd.org Wed Nov 20 10:07:32 2019 Return-Path: Delivered-To: freebsd-fs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 344471B1585 for ; Wed, 20 Nov 2019 10:07:32 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from cu1176c.smtpx.saremail.com (cu1176c.smtpx.saremail.com [195.16.148.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47Hyzl00Bmz4bYC; Wed, 20 Nov 2019 10:07:30 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from [172.16.8.16] (unknown [192.148.167.11]) by proxypop02.sare.net (Postfix) with ESMTPA id 713159DD227; Wed, 20 Nov 2019 11:07:25 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: ZFS snapdir readability (Crosspost) From: Borja Marcos In-Reply-To: Date: Wed, 20 Nov 2019 11:07:24 +0100 Cc: Alan Somers , Jan Behrens , freebsd-fs Content-Transfer-Encoding: quoted-printable Message-Id: <261FE331-EC5C-48C8-9249-9BCBF887CE38@sarenet.es> References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de> <9B22AD46-BE87-4305-9638-74D23AD4C8CA@sarenet.es> To: mike tancsa X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 47Hyzl00Bmz4bYC X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=sarenet.es; spf=pass (mx1.freebsd.org: domain of borjam@sarenet.es designates 195.16.148.151 as permitted sender) smtp.mailfrom=borjam@sarenet.es X-Spamd-Result: default: False [-5.07 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip4:195.16.148.0/24]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[sarenet.es,none]; RCVD_IN_DNSWL_NONE(0.00)[151.148.16.195.list.dnswl.org : 127.0.10.0]; IP_SCORE(-2.77)[ip: (-7.78), ipnet: 195.16.128.0/19(-3.58), asn: 3262(-2.55), country: ES(0.04)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3262, ipnet:195.16.128.0/19, country:ES]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Nov 2019 10:07:32 -0000 > On 18 Nov 2019, at 14:09, mike tancsa wrote: >=20 > On 11/18/2019 5:01 AM, Borja Marcos wrote: >>=20 >>> On 11/6/2019 7:02 PM, Alan Somers wrote: >>>> Your analysis of the snapdir is correct. Setting it to hidden = doesn't make >>>> it inaccessible. That's not unique to FreeBSD, however. I believe = it's >>>> common to all ZFS implementations (I just double checked on Oracle >>>> Solaris). Also, the problem isn't unique to ZFS. Any backup = system would >>>> have the same problem, as long as users are allowed to access the = backups >>>> directly. And in fact, Bob could've directly observed Alice's = id_rsa file >>>> before she changed it. So I don't think this should be considered = a >>>> security vulnerability. The best course for Alice would be to = consider her >>>> id_rsa as compromised as soon as she notices the problem, and = delete it. >>> Still, it would be a nice feature to have where .zfs could be set to >>> root only read. In a multi user system, my users (me included) do = all >>> sorts of accidental foot shooting things like making files readable = for >>> a brief period of time they should not make readable. I think I = recall >>> ZoL adding this as a feature back when I ran into this issue via zfs >>> allow / unallow ? Or at least I think I saw discussion about it. >>>=20 >>> https://github.com/zfsonlinux/zfs/issues/3963 >> The problem is, snapshot access breaks the semantics of chown() and = chmod(). >>=20 > As the snapshots are always readonly, I think chown and chmod dont > really apply in this use case. Also, the fact that the mounts can be = set > to be "visibile" or "invisible" has its own, different convention from > UFS/NFS who dont have that "invisibility" feature (that I know of = anyway). That=E2=80=99s what I mean with breaking the semantics. When you change permissions on a file they apply to open() operations = attempted after the permissions/ownership change.=20 Now, if you add ZFS snapshots to the equation the situation is = different. If you change permissions/ownership on a file, access rights are not changed for the = snapshots because snapshots are read only. So, your file is still exposed.=20 > Maybe a lesser evil would be to define a uid with snapshot access for = each dataset. At least >> for systems with a dataset per home directory it would allow a user = to access their past snapshots >> while at the same time restricting to past snapshots to other users. >=20 > the problem is you could have a "rogue" snapshot. eg. a user does = chmod > a+rx ~ and leaves it on by mistake for a day. Any snapshots kept from > that period would leave that directory open. I think having a = "snapshots > not mounted" option adds a layer of security flexibility safety.=20 Yes, I mean that, as a lesser evil, those snapshots would be accessible = only to the dataset owner (either defined by a new attribute, or just determined by the owner of = the dataset root directory). That would offer the convenience of instantly accessible snapshots as an = instant access backup for HOME directories. You could make snapshots not mounted, period, requiring = administrator=E2=80=99s actions to mount them. But you would lose convenience for common users.=20 Borja.