Date: Wed, 8 Feb 2012 13:28:36 +0100 From: Patrick Proniewski <patpro@patpro.net> To: Liste FreeBSD-security <freebsd-security@freebsd.org> Subject: zfs noexec override, sort of. Message-ID: <277F2E3F-AB7F-491A-ABB5-9178B0AC44BB@patpro.net>
index | next in thread | raw e-mail
Hi, Not sure if it's a real security issue, or if it's a feature. ZFS allows the admin to create noexec volumes, so that users won't be able to execute binaries sitting on these volume. But as soon as one of these binaries is available on a snapshot, it becomes available for the user to execute: # zfs create tank/test-exec # ls test-exec # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local # cp /bin/ls /tank/test-exec/ # /tank/test-exec/ls bash: /tank/test-exec/ls: Permission denied # zfs snapshot tank/test-exec@noexec # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local tank/test-exec@noexec exec off inherited from tank/test-exec # /tank/test-exec/.zfs/snapshot/noexec/ls test-exec Once the snapshot is accessed, it's mounted automatically, and gets back an exec=on property: # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local tank/test-exec@noexec exec on temporary So it makes it very easy for a user to install and use binaries on a shared server where (for example) every home is a ZFS volume with daily snapshots. regards, patprohelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?277F2E3F-AB7F-491A-ABB5-9178B0AC44BB>