Date: Sat, 05 May 2012 00:25:07 +0300 From: Andriy Gapon <avg@FreeBSD.org> To: Bryan Drewery <bryan@shatow.net>, Freddie Cash <fjwcash@gmail.com> Cc: FreeBSD Stable <freebsd-stable@FreeBSD.org> Subject: Re: Make filesystem type configurable for periodic(8)? Message-ID: <4FA44933.4040902@FreeBSD.org> In-Reply-To: <4FA3FF18.4000309@shatow.net> References: <CAOjFWZ4VxyMLSzzWsUMj21HccZkzwPUtM5PWAS-oaaocCLN8Dw@mail.gmail.com> <4FA3FF18.4000309@shatow.net>
next in thread | previous in thread | raw e-mail | index | archive | help
on 04/05/2012 19:08 Bryan Drewery said the following: > On 05/04/2012 11:05 AM, Freddie Cash wrote: >> A few of the periodic(8) scripts in FreeBSD have constructs similar to >> the following to get which filesystems to scan for various things: >> MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` >> >> For systems with large ZFS pools, and many ZFS filesystems, these >> periodic scripts can grind it to its knees, and then some. For >> backups servers where we don't really care about the >> ownership/permissions of files from the FreeBSD perspective, we really >> don't want the ZFS filesytems to be scanned; only the UFS ones for the >> FreeBSD OS install. To that end, I have to manually edit these files >> to remove the ",zfs": >> MP=`mount -t ufs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` >> ^^^^^^^^ >> Would it be worthwhile to anyone else to make the filesystem type(s) >> to scan via the periodic(8) scripts a variable that's set by default >> in /etc/defaults/periodic.conf and that user's can override via >> /etc/periodic.conf? >> >> Or, am I the only one that's suffering here? :) >> >> If there's interesting in this, I can look into coming up with some >> patches. But wanted to check if anyone else would find it useful. >> > > I would find this useful. But further, I have a ZFS root pool as well as > a ZFS backup pool. I don't want to exclude all of ZFS, just certain > pools, or even certain datasets. Guys, why do you think that FS type is significant for these periodic security checks? Why ZFS (or some other FS) must be immune to a rogue suid script or some other permissions-based security threat? If you are sure that your ZFS datasets can not be a source of such an attack, then why not: 1) either disable the periodic security check altogether? 2) or mark the appropriate datasets as noexec or nosuid to ensure your belief? -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FA44933.4040902>