ZFS snapdir readability (Crosspost)
Jan Behrens
jbe-mlist at magnetkern.de
Thu Nov 7 00:20:38 UTC 2019
> On Wed, Nov 6, 2019 at 4:46 PM Jan Behrens <jbe-mlist at magnetkern.de> wrote:
>
> > I recently noticed that all ZFS filesystems in FreeBSD allow access to
> > the .zfs directory (snapdir) for all users of the system.
On Wed, 6 Nov 2019 17:02:14 -0700
Alan Somers <asomers at freebsd.org> wrote:
> Your analysis of the snapdir is correct. Setting it to hidden doesn't make
> it inaccessible. That's not unique to FreeBSD, however. I believe it's
> common to all ZFS implementations (I just double checked on Oracle
> Solaris).
I already suspected that this might be an issue originating from ZFS
itself (and not be FreeBSD specific). Thank you for the research (I
don't have a Solaris system at hand ;-)
> Also, the problem isn't unique to ZFS. Any backup system would
> have the same problem, as long as users are allowed to access the backups
> directly.
My problem here is that with most (or maybe even all) other backup
systems, I would be able to restrict ordinary users from accessing all
backups. So I consider this problem to be pretty much unique to ZFS
(unless I misunderstood your point?)
> And in fact, Bob could've directly observed Alice's id_rsa file
> before she changed it. So I don't think this should be considered a
> security vulnerability. The best course for Alice would be to consider her
> id_rsa as compromised as soon as she notices the problem, and delete it.
>
> -Alan
I already foresaw this argument and mentioned a possible
counter-argument:
> > Of course, one could argue that Alice shouldn't have made the mistake
> > in the first place. Nonetheless, I consider it to be a security issue
> > if regular snapshots cause files which were once publicly readable to
> > be always readable (as long as certain snapshots exist). Moreover, a
> > user might want to deliberatly block access to a file that was
> > intendedly public before.
There could be several examples (other than an ssh key file) where
someone wants to restrict access to a previously publicly readable file
(whether it was deliberately publicly readable or accidentally publicly
readable).
Regards
Jan
More information about the freebsd-fs
mailing list