From owner-freebsd-fs@freebsd.org  Mon Nov 18 13:09:10 2019
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 49BCE1BF6F0
 for <freebsd-fs@mailman.nyi.freebsd.org>; Mon, 18 Nov 2019 13:09:10 +0000 (UTC)
 (envelope-from mike@sentex.net)
Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca
 [IPv6:2607:f3e0:0:3::19])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "pyroxene2.sentex.ca", Issuer "pyroxene2.sentex.ca" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47Gq6F2Z5sz4PYs;
 Mon, 18 Nov 2019 13:09:09 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from [192.168.43.29] ([192.168.43.29])
 by pyroxene2a.sentex.ca (8.15.2/8.15.2) with ESMTPS id xAID973M003166
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Mon, 18 Nov 2019 08:09:08 -0500 (EST) (envelope-from mike@sentex.net)
Subject: Re: ZFS snapdir readability (Crosspost)
To: Borja Marcos <borjam@sarenet.es>
Cc: Alan Somers <asomers@freebsd.org>, Jan Behrens <jbe-mlist@magnetkern.de>, 
 freebsd-fs <freebsd-fs@freebsd.org>
References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de>
 <CAOtMX2huHZcXHH+=3Bx7hX_p9udJ2acOX+ZL8vW=pjqbe6mOAA@mail.gmail.com>
 <e2eecef7-21b6-0ff2-b259-71421b7d097c@sentex.net>
 <9B22AD46-BE87-4305-9638-74D23AD4C8CA@sarenet.es>
From: mike tancsa <mike@sentex.net>
Openpgp: preference=signencrypt
Autocrypt: addr=mike@sentex.net; keydata=
 mQENBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP
 xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s
 +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW
 yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH
 VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB
 AAG0HW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+iQFUBBMBCAA+FiEEmuvCXT0aY6hs
 4SbWeVOEFl5WrMgFAlywzOYCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ
 eVOEFl5WrMhnPAf7Bf+ola0V9t4i8rwCMGvzkssGaxY/5zNSZO9BgSgfN0WzgmBEOy/3R4km
 Yn5KH94NltJYAAE5hqkFmAwK6psOqAR9cxHrRfU+gV2KO8pCDc6K/htkQcd/mclJYpCHp6Eq
 EVJOiAxcNaYuHZkeMdXDuvvI5Rk82VHk84BGgxIqIrhLlkguoPbXOOa+8c/Mpb1sRAGZEOuX
 EzKNC49+GS9gKW6ISbanyPsGEcFyP7GKMzcHBPf3cPrewZQZ6gBoNscasL6IJeAQDqzQAxbU
 GjO0qBSMRgnLXK7+DJlxrYdHGXqNbV6AYsmHJ6c2WWWiuRviFBqXinlgJ2FnYebZPAfWibkB
 DQRcsMzkAQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4
 axtKRSG1t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1
 qzAJweEtRdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6c
 Lm0EiHPOl5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5
 o9KKu4O7gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQAB
 iQE8BBgBCAAmFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAlywzOQCGwwFCQHhM4AACgkQeVOE
 Fl5WrMhmjQf/dBCjAVn1J0GzSsHiLvSAQz1cchbdy8LD0Tnpzjgp5KLU7sNojbI8vqt4yKAi
 cayI88j8+xxNXPMWM4pHELuUuVHS5XTpHa/wwulUtI5w/zyKlUDsIvqTPZLUEwH7DfNBueVM
 WyNaIjV2kxSmM8rNMC+RkgyfbjGLCkmWsMRVuLIUYpl5D9WHmenUbiErlKU2KvEEXEg/aLKq
 3m/AdM9RAYsP9O4l+sAZEfyYoNJzDhTZMzn/9Q0uFPLK9smDQh4WBTFaApveVJPHRKmHPoNF
 Xxj+yScYdQ4SKH34WnhNSELvnZQ3ulH5tpASmm0w+GxfZqSc8+QCwoKtBRDUxoE56A==
Message-ID: <cfcc12dd-e9eb-5a98-a031-ab18436a2dd3@sentex.net>
Date: Mon, 18 Nov 2019 08:09:08 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <9B22AD46-BE87-4305-9638-74D23AD4C8CA@sarenet.es>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 47Gq6F2Z5sz4PYs
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates
 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net
X-Spamd-Result: default: False [-2.71 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ptr];
 NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain];
 HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca];
 DMARC_NA(0.00)[sentex.net];
 HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 IP_SCORE(-1.71)[ipnet: 2607:f3e0::/32(-4.93), asn: 11647(-3.55), country:
 CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 13:09:10 -0000

On 11/18/2019 5:01 AM, Borja Marcos wrote:
>
>> On 11/6/2019 7:02 PM, Alan Somers wrote:
>>> Your analysis of the snapdir is correct.  Setting it to hidden doesn't make
>>> it inaccessible.  That's not unique to FreeBSD, however.  I believe it's
>>> common to all ZFS implementations (I just double checked on Oracle
>>> Solaris).  Also, the problem isn't unique to ZFS.  Any backup system would
>>> have the same problem, as long as users are allowed to access the backups
>>> directly.  And in fact, Bob could've directly observed Alice's id_rsa file
>>> before she changed it.  So I don't think this should be considered a
>>> security vulnerability.  The best course for Alice would be to consider her
>>> id_rsa as compromised as soon as she notices the problem, and delete it.
>> Still, it would be a nice feature to have where .zfs could be set to
>> root only read.    In a multi user system, my users (me included) do all
>> sorts of accidental foot shooting things like making files readable for
>> a brief period of time they should not make readable.  I think I recall
>> ZoL adding this as a feature back when I ran into this issue via zfs
>> allow / unallow ? Or at least I think I saw discussion about it.
>>
>> https://github.com/zfsonlinux/zfs/issues/3963
> The problem is, snapshot access breaks the semantics of chown() and chmod().
>
As the snapshots are always readonly, I think chown and chmod dont
really apply in this use case. Also, the fact that the mounts can be set
to be "visibile" or "invisible" has its own, different convention from
UFS/NFS who dont have that "invisibility" feature (that I know of anyway).

> Maybe a lesser evil would be to define a uid with snapshot access for each dataset. At least
> for systems with a dataset per home directory it would allow a user to access their past snapshots
> while at the same time restricting to past snapshots to other users.

the problem is you could have a "rogue" snapshot. eg. a user does chmod
a+rx ~ and leaves it on by mistake for a day. Any snapshots kept from
that period would leave that directory open. I think having a "snapshots
not mounted" option adds a layer of security flexibility safety. 


    ---Mike