Date: Fri, 8 Nov 2019 12:52:26 +0100 From: Jan Behrens <jbe-mlist@magnetkern.de> To: Andriy Gapon <avg@FreeBSD.org> Cc: freebsd-fs@freebsd.org Subject: Re: ZFS snapdir readability (Crosspost) Message-ID: <20191108125226.4ffebc252e69c6cfa3c82165@magnetkern.de> In-Reply-To: <46343d6b-b614-2942-a28c-1ba8f28dd5a0@FreeBSD.org> References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de> <CAOtMX2huHZcXHH%2B=3Bx7hX_p9udJ2acOX%2BZL8vW=pjqbe6mOAA@mail.gmail.com> <20191107012027.9639f3a9dda1941518358a52@magnetkern.de> <0a823048-d191-72e8-e20b-0491ebd4ea4a@peak.org> <20191107033622.16414272ae743d50f75786ec@magnetkern.de> <46343d6b-b614-2942-a28c-1ba8f28dd5a0@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Nov 2019 08:37:15 +0200 Andriy Gapon <avg@FreeBSD.org> wrote: > On 07/11/2019 04:36, Jan Behrens wrote: > > [...] > > > > Not all application fields of snapshots, however, (whether backup or > > replication or other) have the purpose of letting non-privileged users > > access the data. With the current implementation of ZFS I have no > > choice on whether I want this behavior or consider it a security > > problem that should be avoided in my scenario. This also applies to > > snapshots taken for other reasons than (user readable) backups. > > It's an interesting problem. > My take is that snapshots are snapshots and that's how they are. > If you don't like how they work and you actually only need backups, then you can > take backups. E.g., take a snapshot, send it (either full or incremental) to a > backup file in a secure location or to a secure backup system, create a bookmark > for the snapshot -- if you will need future incremental snapshots, destroy the > snapshot. > No snapshots, no .zfs issues :) > > -- > Andriy Gapon That is interesting, I didn't understand the concept of bookmarks before. This would solve the problem of needing to keep snapshots around on the originating server when some data has not been replicated to all destinations yet. It solves the problem of having accidentally readable files sticking around for more than a few seconds if the snapshots (or rather: bookmarks) are created for purposes of replication only. Still, this solution implies either * using snapshots *only* to create bookmarks and deleting them right afterwards, or * dealing with the security issues mentioned in my original post. Of course, "take as is or don't use it" is a valid approach to avoid using insecure software, but I believe adding an option to restrict readability of .zfs/snapdir to the owner of the root would significantly improve security, especially as some operators might not even be aware of the risks. (This issue has been lurking around for years, see the link posted by Mike <https://github.com/zfsonlinux/zfs/issues/3963>.) Regards Jan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191108125226.4ffebc252e69c6cfa3c82165>