Date: Thu, 21 Nov 2019 17:49:26 +0100 From: Jan Behrens <jbe-mlist@magnetkern.de> To: Martin Simmons <martin@lispworks.com> Cc: borjam@sarenet.es, freebsd-fs@freebsd.org Subject: Re: ZFS snapdir readability (Crosspost) Message-ID: <20191121174926.17bf250f4c65964620811554@magnetkern.de> In-Reply-To: <201911211119.xALBJSIW030544@higson.cam.lispworks.com> References: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de> <CAOtMX2huHZcXHH%2B=3Bx7hX_p9udJ2acOX%2BZL8vW=pjqbe6mOAA@mail.gmail.com> <e2eecef7-21b6-0ff2-b259-71421b7d097c@sentex.net> <9B22AD46-BE87-4305-9638-74D23AD4C8CA@sarenet.es> <cfcc12dd-e9eb-5a98-a031-ab18436a2dd3@sentex.net> <261FE331-EC5C-48C8-9249-9BCBF887CE38@sarenet.es> <913f7040-6e38-452d-6187-e17fae63b652@sentex.net> <20191120144041.7f916360dc0c69bf509c9bd1@magnetkern.de> <AEF4CA02-36B3-42FC-BE92-14DF0AF99540@sarenet.es> <20191120163437.691abd369ab9c0a6d7d45ff2@magnetkern.de> <CF38B478-3638-4C18-B69F-E589DE9BBB95@sarenet.es> <20191120175803.03401c3316fe756cc46f79f1@magnetkern.de> <201911211119.xALBJSIW030544@higson.cam.lispworks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 Nov 2019 11:19:28 GMT Martin Simmons <martin@lispworks.com> wrote: > > Mounting is not the same as cloning and mounting. But you are right: If > > snapshots are cloned first, you can specify the mountpoint. But then > > you are mounting a new file system and not a snapshot technically. > > Which brings us back to option (a) never mount snapshots ever ;-) > > > > Given that we can prohibit the automounting of all snapshots, it would > > be a nice workaround which would not have too much overhead. > > Can't you already achieve (d) using /sbin/mount? > > __Martin Thanks for pointing that out, I didn't know. It works on my system (FreeBSD 12.0). mount -t zfs filesystem@snapshot /mnt "-o ro" is optional, in either case it is mounted read-only. Thus, if auto-mounting of the snapshots in .zfs/snapshot can somehow be disabled (or if access to .zfs can be restricted to root), it would be possible to mount snapshots in such way that only certain users can access them. mkdir /protected mkdir /protected/mnt chgrp snapreaders /protected chmod 770 /protected mount -t zfs -o ro filesystem@snapshot /protected/mnt It's not nice to have the extra parent directory (/protected) but at least it would work. Of course, this requires that access to .zfs/snapshot is prohibited for non-privileged users (or that snapshot automounting is disabled), as the solution is pointless if users can circumvent access restrictions by accessing .zfs/snapshot/. As far as I know, there is no way to disable having .zfs/snapshot readable by everyone, is that correct? Regards, Jan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191121174926.17bf250f4c65964620811554>