From owner-freebsd-stable@FreeBSD.ORG Fri May 4 21:25:34 2012 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E7C571065678 for ; Fri, 4 May 2012 21:25:34 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 3CDD48FC14 for ; Fri, 4 May 2012 21:25:34 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id AAA13156; Sat, 05 May 2012 00:25:10 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1SQPzy-0006GW-D9; Sat, 05 May 2012 00:25:10 +0300 Message-ID: <4FA44933.4040902@FreeBSD.org> Date: Sat, 05 May 2012 00:25:07 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:12.0) Gecko/20120425 Thunderbird/12.0 MIME-Version: 1.0 To: Bryan Drewery , Freddie Cash References: <4FA3FF18.4000309@shatow.net> In-Reply-To: <4FA3FF18.4000309@shatow.net> X-Enigmail-Version: 1.4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: FreeBSD Stable Subject: Re: Make filesystem type configurable for periodic(8)? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 May 2012 21:25:35 -0000 on 04/05/2012 19:08 Bryan Drewery said the following: > On 05/04/2012 11:05 AM, Freddie Cash wrote: >> A few of the periodic(8) scripts in FreeBSD have constructs similar to >> the following to get which filesystems to scan for various things: >> MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` >> >> For systems with large ZFS pools, and many ZFS filesystems, these >> periodic scripts can grind it to its knees, and then some. For >> backups servers where we don't really care about the >> ownership/permissions of files from the FreeBSD perspective, we really >> don't want the ZFS filesytems to be scanned; only the UFS ones for the >> FreeBSD OS install. To that end, I have to manually edit these files >> to remove the ",zfs": >> MP=`mount -t ufs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` >> ^^^^^^^^ >> Would it be worthwhile to anyone else to make the filesystem type(s) >> to scan via the periodic(8) scripts a variable that's set by default >> in /etc/defaults/periodic.conf and that user's can override via >> /etc/periodic.conf? >> >> Or, am I the only one that's suffering here? :) >> >> If there's interesting in this, I can look into coming up with some >> patches. But wanted to check if anyone else would find it useful. >> > > I would find this useful. But further, I have a ZFS root pool as well as > a ZFS backup pool. I don't want to exclude all of ZFS, just certain > pools, or even certain datasets. Guys, why do you think that FS type is significant for these periodic security checks? Why ZFS (or some other FS) must be immune to a rogue suid script or some other permissions-based security threat? If you are sure that your ZFS datasets can not be a source of such an attack, then why not: 1) either disable the periodic security check altogether? 2) or mark the appropriate datasets as noexec or nosuid to ensure your belief? -- Andriy Gapon