From owner-freebsd-security@FreeBSD.ORG  Wed Feb  8 12:45:09 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 74B651065675
	for <freebsd-security@freebsd.org>;
	Wed,  8 Feb 2012 12:45:09 +0000 (UTC)
	(envelope-from patpro@patpro.net)
Received: from rack.patpro.net (rack.patpro.net [193.30.227.216])
	by mx1.freebsd.org (Postfix) with ESMTP id C7D368FC12
	for <freebsd-security@freebsd.org>;
	Wed,  8 Feb 2012 12:45:03 +0000 (UTC)
Received: from rack.patpro.net (localhost [127.0.0.1])
	by rack.patpro.net (Postfix) with ESMTP id 464F51CC020
	for <freebsd-security@freebsd.org>;
	Wed,  8 Feb 2012 13:28:42 +0100 (CET)
X-Virus-Scanned: amavisd-new at patpro.net
Received: from amavis-at-patpro.net ([127.0.0.1])
	by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id vknlxMl1RFNA for <freebsd-security@freebsd.org>;
	Wed,  8 Feb 2012 13:28:36 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by rack.patpro.net (Postfix) with ESMTP
	for <freebsd-security@freebsd.org>;
	Wed,  8 Feb 2012 13:28:36 +0100 (CET)
From: Patrick Proniewski <patpro@patpro.net>
Content-Type: multipart/signed; boundary=Apple-Mail-348-357081921;
	protocol="application/pkcs7-signature"; micalg=sha1
Date: Wed, 8 Feb 2012 13:28:36 +0100
Message-Id: <277F2E3F-AB7F-491A-ABB5-9178B0AC44BB@patpro.net>
To: Liste FreeBSD-security <freebsd-security@freebsd.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: zfs noexec override, sort of.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2012 12:45:09 -0000


--Apple-Mail-348-357081921
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi,

Not sure if it's a real security issue, or if it's a feature.
ZFS allows the admin to create noexec volumes, so that users won't be =
able to execute binaries sitting on these volume. But as soon as one of =
these binaries is available on a snapshot, it becomes available for the =
user to execute:

# zfs create tank/test-exec
# ls
  test-exec
# zfs get -r exec tank/test-exec
  NAME            PROPERTY  VALUE  SOURCE
  tank/test-exec  exec      off    local
# cp /bin/ls /tank/test-exec/
# /tank/test-exec/ls
  bash: /tank/test-exec/ls: Permission denied
# zfs snapshot tank/test-exec@noexec
# zfs get -r exec tank/test-exec
  NAME                   PROPERTY  VALUE  SOURCE
  tank/test-exec         exec      off    local
  tank/test-exec@noexec  exec      off    inherited from tank/test-exec
# /tank/test-exec/.zfs/snapshot/noexec/ls
  test-exec

Once the snapshot is accessed, it's mounted automatically, and gets back =
an exec=3Don property:

# zfs get -r exec tank/test-exec
  NAME                   PROPERTY  VALUE  SOURCE
  tank/test-exec         exec      off    local
  tank/test-exec@noexec  exec      on     temporary

So it makes it very easy for a user to install and use binaries on a =
shared server where (for example) every home is a ZFS volume with daily =
snapshots.

regards,
patpro


--Apple-Mail-348-357081921--