ZFS snapdir readability (Crosspost)
pen at lysator.liu.se
Thu Nov 7 22:06:31 UTC 2019
The “easy” solution is to give each user (or group / project) their own ZFS filesystem. Then the “.zfs” directory would be inside the users own $HOME and you can set $HOME to 0700….
That is what we are doing. Granted it generates a “few” filesystems (like some 20000 per server (we have around 120k users), and then add hourly snapshots to each as “icing” on the cake). Mounting all those takes a bit of time - but luckily with the latest FreeBSD release things are much faster these days :-)
There are some other issues with that - like 100% full filesystems causing severe system slowdown during writes… So you really wanna have some monitoring system that warns for that.
> I recently noticed that all ZFS filesystems in FreeBSD allow access to
> the .zfs directory (snapdir) for all users of the system. It is
> possible to hide that directory using the snapdir option:
More information about the freebsd-fs