From owner-freebsd-fs@freebsd.org  Thu Nov  7 14:54:13 2019
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 09B631B68DF
 for <freebsd-fs@mailman.nyi.freebsd.org>; Thu,  7 Nov 2019 14:54:13 +0000 (UTC)
 (envelope-from mike@sentex.net)
Received: from pyroxene2a.sentex.ca (unknown [IPv6:2607:f3e0:0:3::19])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "pyroxene2.sentex.ca", Issuer "pyroxene2.sentex.ca" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4785yX6Dswz3Hd1;
 Thu,  7 Nov 2019 14:54:12 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from [IPv6:2607:f3e0:0:4:a10d:ac5a:ce6d:7222]
 ([IPv6:2607:f3e0:0:4:a10d:ac5a:ce6d:7222])
 by pyroxene2a.sentex.ca (8.15.2/8.15.2) with ESMTPS id xA7EsBSb072038
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Thu, 7 Nov 2019 09:54:11 -0500 (EST) (envelope-from mike@sentex.net)
Subject: Re: ZFS snapdir readability (Crosspost)
To: Alan Somers <asomers@freebsd.org>, Jan Behrens <jbe-mlist@magnetkern.de>
Cc: freebsd-fs <freebsd-fs@freebsd.org>
References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de>
 <CAOtMX2huHZcXHH+=3Bx7hX_p9udJ2acOX+ZL8vW=pjqbe6mOAA@mail.gmail.com>
From: mike tancsa <mike@sentex.net>
Openpgp: preference=signencrypt
Autocrypt: addr=mike@sentex.net; keydata=
 mQENBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP
 xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s
 +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW
 yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH
 VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB
 AAG0HW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+iQFUBBMBCAA+FiEEmuvCXT0aY6hs
 4SbWeVOEFl5WrMgFAlywzOYCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ
 eVOEFl5WrMhnPAf7Bf+ola0V9t4i8rwCMGvzkssGaxY/5zNSZO9BgSgfN0WzgmBEOy/3R4km
 Yn5KH94NltJYAAE5hqkFmAwK6psOqAR9cxHrRfU+gV2KO8pCDc6K/htkQcd/mclJYpCHp6Eq
 EVJOiAxcNaYuHZkeMdXDuvvI5Rk82VHk84BGgxIqIrhLlkguoPbXOOa+8c/Mpb1sRAGZEOuX
 EzKNC49+GS9gKW6ISbanyPsGEcFyP7GKMzcHBPf3cPrewZQZ6gBoNscasL6IJeAQDqzQAxbU
 GjO0qBSMRgnLXK7+DJlxrYdHGXqNbV6AYsmHJ6c2WWWiuRviFBqXinlgJ2FnYebZPAfWibkB
 DQRcsMzkAQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4
 axtKRSG1t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1
 qzAJweEtRdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6c
 Lm0EiHPOl5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5
 o9KKu4O7gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQAB
 iQE8BBgBCAAmFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAlywzOQCGwwFCQHhM4AACgkQeVOE
 Fl5WrMhmjQf/dBCjAVn1J0GzSsHiLvSAQz1cchbdy8LD0Tnpzjgp5KLU7sNojbI8vqt4yKAi
 cayI88j8+xxNXPMWM4pHELuUuVHS5XTpHa/wwulUtI5w/zyKlUDsIvqTPZLUEwH7DfNBueVM
 WyNaIjV2kxSmM8rNMC+RkgyfbjGLCkmWsMRVuLIUYpl5D9WHmenUbiErlKU2KvEEXEg/aLKq
 3m/AdM9RAYsP9O4l+sAZEfyYoNJzDhTZMzn/9Q0uFPLK9smDQh4WBTFaApveVJPHRKmHPoNF
 Xxj+yScYdQ4SKH34WnhNSELvnZQ3ulH5tpASmm0w+GxfZqSc8+QCwoKtBRDUxoE56A==
Message-ID: <e2eecef7-21b6-0ff2-b259-71421b7d097c@sentex.net>
Date: Thu, 7 Nov 2019 09:54:11 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CAOtMX2huHZcXHH+=3Bx7hX_p9udJ2acOX+ZL8vW=pjqbe6mOAA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 4785yX6Dswz3Hd1
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-6.00 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; REPLY(-4.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 14:54:13 -0000

On 11/6/2019 7:02 PM, Alan Somers wrote:
>
> Your analysis of the snapdir is correct.  Setting it to hidden doesn't make
> it inaccessible.  That's not unique to FreeBSD, however.  I believe it's
> common to all ZFS implementations (I just double checked on Oracle
> Solaris).  Also, the problem isn't unique to ZFS.  Any backup system would
> have the same problem, as long as users are allowed to access the backups
> directly.  And in fact, Bob could've directly observed Alice's id_rsa file
> before she changed it.  So I don't think this should be considered a
> security vulnerability.  The best course for Alice would be to consider her
> id_rsa as compromised as soon as she notices the problem, and delete it.

Still, it would be a nice feature to have where .zfs could be set to
root only read.    In a multi user system, my users (me included) do all
sorts of accidental foot shooting things like making files readable for
a brief period of time they should not make readable.  I think I recall
ZoL adding this as a feature back when I ran into this issue via zfs
allow / unallow ? Or at least I think I saw discussion about it.

https://github.com/zfsonlinux/zfs/issues/3963


    ---Mike