Date: Wed, 20 Sep 2017 21:01:30 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-fs@FreeBSD.org Subject: [Bug 214981] ZFS happily and silently remounts any existing mount on pool import (POLA violation and security issue!) Message-ID: <bug-214981-3630-sqaGfaEECu@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-214981-3630@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214981 --- Comment #4 from Vladimir Krstulja <vlad-fbsd@acheronmedia.com> --- (In reply to Andriy Gapon from comment #3) Unfortunately, in my view, that doesn't change anything. One major problem is with ZFS receives, which is what hit me in this case. The server was receiving backup pools from production, a root pool included. The obvious part is solved with import -R or -N, and giving -u to `zfs receive` so it doesn't mount received snapshots. All was well until after quite a long time I had to reboot the server. The act of unlocking the drives that contained the backup datasets, the very act of hitting enter on last geli passphrase imported and mounted everything it found, so I haven't had a chance to -R or -N. The security problem in this is also through received datasets. One could argue that you have to trust data you receive, and I partially agree. It doesn't help that ZFS does not, with this, offer any safety net in an form of an ability to prevent automatic importing + mounting, from happening at all. Oh yeah, disable zfs service maybe. But totally not a solution. Automatic, implicit, quiet, non-obvious remounts, especially of /, without the user explicitly stating it's okay to do so, should NEVER happen. Ever. I really hope this issue will be treated as a serious problem. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-214981-3630-sqaGfaEECu>