[Bug 214981] ZFS happily and silently remounts any existing mount on pool import (POLA violation and security issue!)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Sep 20 21:01:31 UTC 2017


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214981

--- Comment #4 from Vladimir Krstulja <vlad-fbsd at acheronmedia.com> ---
(In reply to Andriy Gapon from comment #3)

Unfortunately, in my view, that doesn't change anything. One major problem is
with ZFS receives, which is what hit me in this case. The server was receiving
backup pools from production, a root pool included.

The obvious part is solved with import -R or -N, and giving -u to `zfs receive`
so it doesn't mount received snapshots. All was well until after quite a long
time I had to reboot the server. The act of unlocking the drives that contained
the backup datasets, the very act of hitting enter on last geli passphrase
imported and mounted everything it found, so I haven't had a chance to -R or
-N.

The security problem in this is also through received datasets. One could argue
that you have to trust data you receive, and I partially agree. It doesn't help
that ZFS does not, with this, offer any safety net in an form of an ability to
prevent automatic importing + mounting, from happening at all. Oh yeah, disable
zfs service maybe. But totally not a solution.

Automatic, implicit, quiet, non-obvious remounts, especially of /, without the
user explicitly stating it's okay to do so, should NEVER happen. Ever.

I really hope this issue will be treated as a serious problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-fs mailing list