Date: Wed, 16 Aug 2017 12:12:18 +0200 From: Borja Marcos <borjam@sarenet.es> To: Mike Tancsa <mike@sentex.net> Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org> Subject: Re: protecting zfs snapshot info Message-ID: <003E0B0C-95C5-4D0B-91DB-393877480BDE@sarenet.es> In-Reply-To: <b911a1d7-02ae-c16e-2534-f7b1b44215f7@sentex.net> References: <d7fa3f0c-e00a-9c41-5430-1f381f71d3e0@sentex.net> <52984307-2C6C-454C-A69B-15FB4AE01E1B@sarenet.es> <5e3145ab-246a-f213-80b0-000dd801fbef@sentex.net> <b911a1d7-02ae-c16e-2534-f7b1b44215f7@sentex.net>
index | next in thread | previous in thread | raw e-mail
> On 15 Aug 2017, at 14:20, Mike Tancsa <mike@sentex.net> wrote: > > On 8/14/2017 8:57 AM, Mike Tancsa wrote: >> On 8/14/2017 2:47 AM, Borja Marcos wrote: >>> >>>> On 12 Aug 2017, at 19:14, Mike Tancsa <mike@sentex.net> wrote: >>>> >>>> >>>> Is there a way in zfs to protect non root users from seeing snapshots ? > >>> Good question and it’s a problem indeed. The .zfs directory is always created >>> and it can be hidden but it’s still accessible. It’s a security problem that prevents >>> an effective access revocation for a directory/file, I guess that’s what you mean. >> >> Yes, something like an extra option >> hidden | visible | unmounted > > I did come across this thread > > https://github.com/zfsonlinux/zfs/issues/3963 > > but it seems Linux specific or at least I dont see how its done on FreeBSD. Yes, it seems to be Linux specific and as far as I know there’s no way to do it on FreeBSD right now. I would vouch for a third state added to the “snapdir” variable, but I wouldn’t call it “disabled”. “unmounted” or maybe “noauto” is much better in my opinion. The .zfs directory should still be created (maybe hidden when in “noauto” state in order to prevent it from being created by a user. I don’t think a new permission is needed to control that variable, though. The “snapshot” permission implies that “mount” should be allowed as well at least in the current versions. So it’s redundant. Or, actually, the “noauto” value for “snapdir” would eliminate the requirement for “mount” permissions. I mean: Right now the “snapshot” permission requires “mount” because the snapshot is mounted upon creation like it or not. If the snapshot was not automatically mounted thanks to the “noauto” value for “snapdir” it would be possible to have a user authorized to manage snapshots but unable to mount them. Given the very sensible nature of “mount” in Unix it makes sense. Borja.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003E0B0C-95C5-4D0B-91DB-393877480BDE>