From owner-freebsd-fs@freebsd.org  Wed Nov 20 16:07:51 2019
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6468E1BA917
 for <freebsd-fs@mailman.nyi.freebsd.org>; Wed, 20 Nov 2019 16:07:51 +0000 (UTC)
 (envelope-from borjam@sarenet.es)
Received: from cu01176b.smtpx.saremail.com (cu01176b.smtpx.saremail.com
 [195.16.151.151])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 47J6zV1T2Wz40My;
 Wed, 20 Nov 2019 16:07:49 +0000 (UTC)
 (envelope-from borjam@sarenet.es)
Received: from [172.16.8.16] (unknown [192.148.167.11])
 by proxypop01.sare.net (Postfix) with ESMTPA id 866F39DEB1E;
 Wed, 20 Nov 2019 17:07:45 +0100 (CET)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: ZFS snapdir readability (Crosspost)
From: Borja Marcos <borjam@sarenet.es>
In-Reply-To: <20191120163437.691abd369ab9c0a6d7d45ff2@magnetkern.de>
Date: Wed, 20 Nov 2019 17:07:44 +0100
Cc: Mike Tancsa <mike@sentex.net>, Alan Somers <asomers@freebsd.org>,
 freebsd-fs <freebsd-fs@freebsd.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CF38B478-3638-4C18-B69F-E589DE9BBB95@sarenet.es>
References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de>
 <CAOtMX2huHZcXHH+=3Bx7hX_p9udJ2acOX+ZL8vW=pjqbe6mOAA@mail.gmail.com>
 <e2eecef7-21b6-0ff2-b259-71421b7d097c@sentex.net>
 <9B22AD46-BE87-4305-9638-74D23AD4C8CA@sarenet.es>
 <cfcc12dd-e9eb-5a98-a031-ab18436a2dd3@sentex.net>
 <261FE331-EC5C-48C8-9249-9BCBF887CE38@sarenet.es>
 <913f7040-6e38-452d-6187-e17fae63b652@sentex.net>
 <20191120144041.7f916360dc0c69bf509c9bd1@magnetkern.de>
 <AEF4CA02-36B3-42FC-BE92-14DF0AF99540@sarenet.es>
 <20191120163437.691abd369ab9c0a6d7d45ff2@magnetkern.de>
To: Jan Behrens <jbe-mlist@magnetkern.de>
X-Mailer: Apple Mail (2.3445.104.11)
X-Rspamd-Queue-Id: 47J6zV1T2Wz40My
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org; dkim=none;
 dmarc=pass (policy=none) header.from=sarenet.es;
 spf=pass (mx1.freebsd.org: domain of borjam@sarenet.es designates
 195.16.151.151 as permitted sender) smtp.mailfrom=borjam@sarenet.es
X-Spamd-Result: default: False [-5.02 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; SH_EMAIL_ZRD(0.00)[5.11.0.38];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4];
 R_SPF_ALLOW(-0.20)[+ip4:195.16.151.0/24]; MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 SH_EMAIL_DBL_DONT_QUERY_IPS(0.00)[5.11.0.38];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 DMARC_POLICY_ALLOW(-0.50)[sarenet.es,none];
 RCVD_IN_DNSWL_NONE(0.00)[151.151.16.195.list.dnswl.org : 127.0.10.0];
 IP_SCORE(-2.72)[ip: (-7.31), ipnet: 195.16.128.0/19(-3.69), asn: 3262(-2.66),
 country: ES(0.04)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:3262, ipnet:195.16.128.0/19, country:ES];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 16:07:51 -0000



> On 20 Nov 2019, at 16:34, Jan Behrens <jbe-mlist@magnetkern.de> wrote:
>=20
> Security vulnerabilities during backup recovery (e.g. when recovering
> part of the backup but being forced to expose other data as well when
> mounting the system) are still security vulnerabilities. Of course
> limiting the security vulnerabilities to certain moments (partial
> backup recovery) is a nice step forward, but an even better solution
> would be to avoid security vulnerabilities at all times.

True.=20

> The latter requires to either
> (a) never mount snapshots ever, or

Well, they are useful for a reason :)

> (b) only mount snapshots when they are to be *completely* restored, or

Cloning is atomic. Receiving a snapshot stream, sorry, I don=E2=80=99t =
remember :/

> (c) be able to specify the user, group, and mode (unless 700 by
>    default) when mounting or auto-mounting the snapshots, or
> (d) be able to specify a mount point such that the mount point can be
>    within a directory that is not +x for everyone.

Well, there are two options here.

If by restoring snapshots you mean receiving a snapshot stream, you can =
always receive it under
a properly protected dataset. If you intend to mount (ie, clone) it the =
solution is the same. Actually
specifying a mount point when cloning a snapshot is mandatory. You are =
actually creating a dataset.

root@micro1:~ # zfs create unpul/forbidden
root@micro1:~ # chmod go-rwx /unpul/forbidden/

Anything I restore or clone under this dataset will be only accessible =
to root.=20

For example:

root@micro1:~ # zfs clone unpul/UniFi/data@5.11.38 =
unpul/forbidden/testing

(now back to a regular user)

borjam@micro1:/unpul % cd /unpul/forbidden/
/unpul/forbidden/: Permission denied.

Anyway this is not a problem, it=E2=80=99s exactly what you would do if =
you were reading a tape.=20

The real problem is the =E2=80=9Cunexpected=E2=80=9D, automatic, =
unavoidable mounting of the .zfs directory.=20

Or am I missing anything?=20



Borja.