Date: Thu, 04 Aug 2022 09:22:18 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 265625] .zfs/snapshot directory is always readable (also by non-privileged users) Message-ID: <bug-265625-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265625 Bug ID: 265625 Summary: .zfs/snapshot directory is always readable (also by non-privileged users) Product: Base System Version: 13.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: jbe@magnetkern.de The .zfs/snapshot directory of ZFS filesystems is always readable, also by non-privileged users. Since it is impossible to change ownership or file mo= des in a snapshot (it is read-only), this can be a security issue (only way to = fix a misconfiguration is to destroy all snapshots). Moreover, the behavior may be unexpected to users since the .zfs directory = is hidden by default (but readable!). There doesn't seem to be any way to disable access to snapshots (not even globally for everyone). The only workaround I know is to use mount_nullfs to shadow the directory. But that doesn't seem to be a clean solution and is e= rror prone. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-265625-227>