From owner-freebsd-fs@freebsd.org Thu Nov 7 00:02:28 2019 Return-Path: Delivered-To: freebsd-fs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F32C617CBC4 for ; Thu, 7 Nov 2019 00:02:28 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 477k9b5Rk0z3KCN for ; Thu, 7 Nov 2019 00:02:27 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-ot1-f44.google.com with SMTP id b16so394447otk.9 for ; Wed, 06 Nov 2019 16:02:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=irX95Jo4NSrWLR+55DCo8/zDVMQSFd9KxtaNp2Vp81E=; b=dvAMSR3u/oVlS5qgsuxHlHqEtrWjJXm8rxS64FNQS9rKKzRW0U5sl0oj2qrTsjQk5J TuYhm3EVZeJb8fZBhlBYcc9cW5jxJBJMdBS1+ZaqecHVrHBNlWIomCTh5SIJiweEIaoK Y+bMkgUPl68Ekg1Fvi/Klh7W6obEIwt3+8q0Flb+0nn2idulZFPWySk8NiN+ORc1wKN8 hh2PgwN4qaSwKkPEV8Cf/TLGBYCt3h+Wh8KXcMN2MumWEj0YrArYiffGrOy1O0sZDLCS yyK543EUaWSpgpAbWaNOOQCncpcikjon6Kg4rM7Smbx4k5ZYhQH8MVlQ2F5T5DQ6XRfN f5gw== X-Gm-Message-State: APjAAAUkH9roaSP5xV08KPADmRG6fJbhbaZ2KfRsI2LrqE8jfEkARq4O ySngzuuDprfy/0L9iG0UGTnyaJlvdx0rgOryLPmsJFhQ X-Google-Smtp-Source: APXvYqzUrjNnAVirmf0wxFEAV+5h4SxAtLaPqtwMNgrTSzDn0/8be7/OnR50drKyrMQhEQqNdrLcwaUs4XonSSGWGoc= X-Received: by 2002:a05:6830:4a1:: with SMTP id l1mr330165otd.291.1573084946221; Wed, 06 Nov 2019 16:02:26 -0800 (PST) MIME-Version: 1.0 References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de> In-Reply-To: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de> From: Alan Somers Date: Wed, 6 Nov 2019 17:02:14 -0700 Message-ID: Subject: Re: ZFS snapdir readability (Crosspost) To: Jan Behrens Cc: freebsd-fs X-Rspamd-Queue-Id: 477k9b5Rk0z3KCN X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of asomers@gmail.com designates 209.85.210.44 as permitted sender) smtp.mailfrom=asomers@gmail.com X-Spamd-Result: default: False [-3.13 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[44.210.85.209.rep.mailspike.net : 127.0.0.18]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[44.210.85.209.list.dnswl.org : 127.0.5.0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-1.13)[ip: (-0.39), ipnet: 209.85.128.0/17(-3.21), asn: 15169(-2.01), country: US(-0.05)]; FORGED_SENDER(0.30)[asomers@freebsd.org,asomers@gmail.com]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[asomers@freebsd.org,asomers@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Nov 2019 00:02:29 -0000 On Wed, Nov 6, 2019 at 4:46 PM Jan Behrens wrote: > Dear all, > > I'd like to crosspost an issue I have with the .zfs/snapdir directory. > My original post was in freebsd-questions@freebsd.org but apparently > nobody could answer my questions there. Since the topic is quite ZFS > specific, I wonder if this is the better place to ask my questions. > > Original subject: > ZFS snapdir readability - feature request or security issue? > > Original date: Sun, 27 Oct 2019 12:27:28 +0100 > > Dear all, > > I recently noticed that all ZFS filesystems in FreeBSD allow access to > the .zfs directory (snapdir) for all users of the system. It is > possible to hide that directory using the snapdir option: > > snapdir=hidden | visible > Controls whether the .zfs directory is hidden or visible in the root > of the file system as discussed in the "Snapshots" section. The > default value is hidden. > > However, setting snapdir=hidden will only "hide" the directory from > "ls". It is still possible to access that directory, also as a > non-privileged user! > > It seems to be impossible to restrict access to this directory. Calling > chmod 700 /.zfs results in "chmod: /.zfs: Operation not supported". > > Given the immutability of snapshots, the directories and files will > have access rights from the point in time when the snapshot was taken. > Considering a system that creates snapshots regularly (e.g. for backup > or replication purposes), this could lead to security issues, as I > would like to illustrate with the following example: > > Consider a user (Alice) who accidentally created a file > /usr/home/alice/.ssh/id_rsa as publicly readible, but who notices > shortly after that this was a mistake. Alice fixes her mistake by > calling: chmod 600 /usr/home/alice/.ssh/id_rsa > > If in the meantime a snapshot zroot/usr/home@2019-10-27 was taken, > which is intended to be kept for a longer time, then Bob will be able > to access Alice's private SSH key through the > file /usr/home/.zfs/snapshot/2010-10-27/alice/.ssh/id_rsa > > As far as I understand, there is no (clean) way to prohibit this, except > deleting the whole snapshot (which might not be desirable in all > scenarios). Note that: > > su - root > chmod 700 /usr/home/.zfs => Operation not supported > chmod 700 /usr/home/.zfs/snapshot => Operation not supported > chmod 700 /usr/home/.zfs/snapshot/2019-10-27 => Read-only file system > > Of course, one could argue that Alice shouldn't have made the mistake > in the first place. Nonetheless, I consider it to be a security issue > if regular snapshots cause files which were once publicly readable to > be always readable (as long as certain snapshots exist). Moreover, a > user might want to deliberatly block access to a file that was > intendedly public before. > > One (dirty) workaround I was able to figure out is to do a > mount_nullfs /var/empty /usr/home/.zfs which results in the following > behavior: > - /usr/home/.zfs is still hidden > - /usr/home/.zfs is empty for all users (root and non-privileged users) > > I was able to improve this by doing: > mkdir -p /usr/home/protected/snapshot > chmod 700 /usr/home/protected > mount_nullfs /usr/home/.zfs/snapshot /usr/home/protected/snapshot > mount_nullfs /var/empty /usr/home/.zfs > > This way, the root user can access the snapshot directory > through /usr/home/protected/snapshot while all other users should > (hopefully) not be able to gain access to snapshot data. This > workaround, however, has several drawbacks: > > - Considering a larger number of ZFS filesystems on an average system > (my system came with 14 file systems by default), this will bloat the > output of "mount" and easily cause confusion. > - There can be race conditions when mounting a previously unmounted ZFS > filesystem, such that for a small moment (after mounting the ZFS file > system and before doing the nullfs mount), a malicious user could > access the hidden .zfs directory. > - Using the default commands, it is likely to accidentally forget the > nullfs mount and leave the snapdir exposed to non-privileged users. > > Is there any other method to prohibit non-privileged users from > accessing the ZFS snapdir? If not, I would propose to add one. I'm not > even sure if this is a feature request or rather fixing a security > vulnerability as explained in the Alice & Bob example above. > > > Kind regards, > Jan Behrens > Your analysis of the snapdir is correct. Setting it to hidden doesn't make it inaccessible. That's not unique to FreeBSD, however. I believe it's common to all ZFS implementations (I just double checked on Oracle Solaris). Also, the problem isn't unique to ZFS. Any backup system would have the same problem, as long as users are allowed to access the backups directly. And in fact, Bob could've directly observed Alice's id_rsa file before she changed it. So I don't think this should be considered a security vulnerability. The best course for Alice would be to consider her id_rsa as compromised as soon as she notices the problem, and delete it. -Alan