Date: Wed, 20 Nov 2019 14:40:41 +0100 From: Jan Behrens <jbe-mlist@magnetkern.de> To: Mike Tancsa <mike@sentex.net> Cc: Borja Marcos <borjam@sarenet.es>, Alan Somers <asomers@freebsd.org>, freebsd-fs <freebsd-fs@freebsd.org> Subject: Re: ZFS snapdir readability (Crosspost) Message-ID: <20191120144041.7f916360dc0c69bf509c9bd1@magnetkern.de> In-Reply-To: <913f7040-6e38-452d-6187-e17fae63b652@sentex.net> References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de> <CAOtMX2huHZcXHH%2B=3Bx7hX_p9udJ2acOX%2BZL8vW=pjqbe6mOAA@mail.gmail.com> <e2eecef7-21b6-0ff2-b259-71421b7d097c@sentex.net> <9B22AD46-BE87-4305-9638-74D23AD4C8CA@sarenet.es> <cfcc12dd-e9eb-5a98-a031-ab18436a2dd3@sentex.net> <261FE331-EC5C-48C8-9249-9BCBF887CE38@sarenet.es> <913f7040-6e38-452d-6187-e17fae63b652@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 20 Nov 2019 08:24:43 -0500 Mike Tancsa <mike@sentex.net> wrote: > On 11/20/2019 5:07 AM, Borja Marcos wrote: > > You could make snapshots not mounted, period, requiring administrator’s actions to mount them. But you > > would lose convenience for common users. > > Actually, thats all I am advocating for-- settings perms on the > accessibility of the snapshot. ie instead of the "invisibility" feature, > change it to an "inaccessible" feature. > > ---Mike This would solve the security problem, but only as long as snapshots are never mounted. Once they are mounted (unless you can specify the directory where they are mounted), unprivileged users could still access files they should not be allowed to access. A better solution would be to specify user, group, and modes (e.g. root:root 700) when mounting or auto-mounting snapshots. Regards, Jan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191120144041.7f916360dc0c69bf509c9bd1>